chore(runner): First cut on Tekton pipeline detection

[javirln]

This PR adds automatic detection and metadata collection for Tekton Pipelines CI/CD environment.

Changes

• Added TEKTON_PIPELINE runner type to the protobuf schema
• Implemented Tekton runner with filesystem-based detection via /tekton/results directory
• Registered runner in factory for automatic environment discovery

Detection Strategy

The Tekton runner detects execution environments by checking for the presence of Tekton's /tekton/results directory, which is mounted in all TaskRun and PipelineRun containers. This approach works reliably for both standalone TaskRuns and tasks within Pipelines.

Metadata Collection via Kubernetes Downward API

The runner collects Tekton execution metadata by reading pod labels from the Kubernetes Downward API mounted at /etc/podinfo/labels. Users must configure the Downward API volume mount in their Task/Pipeline definitions:

apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: chainloop-attestation
spec:
  stepTemplate:
    volumeMounts:
      - name: podinfo
        mountPath: /etc/podinfo
  volumes:
    - name: podinfo
      downwardAPI:
        items:
          - path: "labels"
            fieldRef:
              fieldPath: metadata.labels
  steps:
    - name: attest
      image: ghcr.io/chainloop-dev/chainloop/cli:latest
      script: |
        chainloop attestation init

Tekton Labels Collected

The runner reads the following Tekton-specific labels from pod metadata:

PipelineRun context:

• tekton.dev/pipelineRun - PipelineRun name
• tekton.dev/pipelineRunUID - PipelineRun UID
• tekton.dev/pipeline - Pipeline name

TaskRun context:

• tekton.dev/taskRun - TaskRun name
• tekton.dev/taskRunUID - TaskRun UID
• tekton.dev/task - Task name

Namespace: Automatically read from /var/run/secrets/kubernetes.io/serviceaccount/namespace

Run URI Construction

The runner constructs dashboard URLs with priority: PipelineRun URL > TaskRun URL, defaulting to https://dashboard.tekton.dev. Users can customize the dashboard URL by setting the TEKTON_DASHBOARD_URL environment variable.

The runner works in minimal mode with just filesystem detection when Downward API is not configured. Pod labels are only collected when the volume mount is present, allowing basic runner detection without requiring template modifications.

Tackles issue #2545

[migmartri]

ptal at the test error, and the spurious descriptor.ts

So in the end we have access to env vars and dashboards or am I understanding this incorrectly? Do you have a demo of the env?

[migmartri]

so these env vars are available then?