Deprecate chains command #2534
Description
The tkn chains command provides two subcommands, one to print the signature and one to print the payload, e.g.
🐚 tkn chain signature simple-build-run-zjzmk-image-build
{"level":"info","ts":1746107363.088566,"logger":"fallback","caller":"storage/storage.go:61","msg":"configured backends from config: [oci oci oci]"}
{"level":"info","ts":1746107363.088608,"logger":"fallback","caller":"storage/storage.go:100","msg":"successfully initialized backends: [oci]"}
[MEUCIQDIhVBQJ4ZkOv/DAbk5pSlMkGLuMfTlWutoEpBati++qwIgW9YxydQCAuAbNK9UrdG6bjqWhqrPWHSm9OKvjzKakps=]
🐚 tkn chain payload simple-build-run-zjzmk-image-build
{"level":"info","ts":1746107398.3294013,"logger":"fallback","caller":"storage/storage.go:61","msg":"configured backends from config: [oci oci oci]"}
{"level":"info","ts":1746107398.3294427,"logger":"fallback","caller":"storage/storage.go:100","msg":"successfully initialized backends: [oci]"}
{"_type":"https://in-toto.io/Statement/v0.1","subject":[{"name":"quay.io/lucarval/min","digest":{"sha256":"579f2c8575c5dcf1415100f6c1dc4483b3f90a0c7fa0085b87c04fe4d808aa71"}}],"predicateType":"https://slsa.dev/provenance/v0.2","predicate":{"buildConfig":{"tasks":[{"finishedOn":"2025-05-01T13:46:52Z","invocation":{"configSource":{},"environment":{"annotations":{"pipeline.tekton.dev/affinity-assistant":"aff ...
There are some short-comings and issues with this command:
- The user must have access to the in-cluster Chains config. A regular user is unlikely to have this level of access.
- There is usually a better way of retrieving such information, e.g. cosign for OCI storage, or whatever client the storage backend supports.
- Command doesn't support PipelineRuns, only TaskRuns. Support could be added, of course.
- When implementing support for a new backend in Chains, we must also add corresponding
Retrieve*functions. These are not always straightforward for different storage backends. They serve no purpose other than fulfill this CLI use case.
Given the above, I believe we should deprecate the tkn chains CLI command and remove it completely once the required deprecation period has passed. (If we proceed here, we should also close #1547)