Include the ServiceAccount running a pipeline in the chains provenance

pkg/chains/formats/slsa/v1/intotoite6_test.go

@@ -572,9 +572,10 @@ func getBuildPipelineRun() pipelinerun.BuildConfig {
 					Name: "git-clone",
 					Kind: "ClusterTask",
 				},
-				StartedOn:  e1BuildStart,
-				FinishedOn: e1BuildFinished,
-				Status:     "Succeeded",
+				StartedOn:          e1BuildStart,
+				FinishedOn:         e1BuildFinished,
+				ServiceAccountName: "pipeline",
+				Status:             "Succeeded",
 				Steps: []attest.StepAttestation{
 					{
 						EntryPoint: "git clone",
@@ -626,9 +627,10 @@ func getBuildPipelineRun() pipelinerun.BuildConfig {
 					Name: "build",
 					Kind: "ClusterTask",
 				},
-				StartedOn:  e1BuildStart,
-				FinishedOn: e1BuildFinished,
-				Status:     "Succeeded",
+				StartedOn:          e1BuildStart,
+				FinishedOn:         e1BuildFinished,
+				ServiceAccountName: "pipeline",
+				Status:             "Succeeded",
 				Steps: []attest.StepAttestation{
 					{
 						EntryPoint: "",

pkg/chains/formats/slsa/v1/pipelinerun/pipelinerun.go

@@ -37,15 +37,16 @@ type BuildConfig struct {
 }
 
 type TaskAttestation struct {
-	Name       string                    `json:"name,omitempty"`
-	After      []string                  `json:"after,omitempty"`
-	Ref        v1beta1.TaskRef           `json:"ref,omitempty"`
-	StartedOn  time.Time                 `json:"startedOn,omitempty"`
-	FinishedOn time.Time                 `json:"finishedOn,omitempty"`
-	Status     string                    `json:"status,omitempty"`
-	Steps      []attest.StepAttestation  `json:"steps,omitempty"`
-	Invocation slsa.ProvenanceInvocation `json:"invocation,omitempty"`
-	Results    []v1beta1.TaskRunResult   `json:"results,omitempty"`
+	Name               string                    `json:"name,omitempty"`
+	After              []string                  `json:"after,omitempty"`
+	Ref                v1beta1.TaskRef           `json:"ref,omitempty"`
+	StartedOn          time.Time                 `json:"startedOn,omitempty"`
+	FinishedOn         time.Time                 `json:"finishedOn,omitempty"`
+	ServiceAccountName string                    `json:"serviceAccountName,omitempty"`
+	Status             string                    `json:"status,omitempty"`
+	Steps              []attest.StepAttestation  `json:"steps,omitempty"`
+	Invocation         slsa.ProvenanceInvocation `json:"invocation,omitempty"`
+	Results            []v1beta1.TaskRunResult   `json:"results,omitempty"`
 }
 
 const statementInTotoV01 = "https://in-toto.io/Statement/v0.1"
@@ -149,14 +150,15 @@ func buildConfig(ctx context.Context, pro *objects.PipelineRunObjectV1Beta1) Bui
 		}
 
 		task := TaskAttestation{
-			Name:       t.Name,
-			After:      after,
-			StartedOn:  tr.Status.StartTime.Time.UTC(),
-			FinishedOn: tr.Status.CompletionTime.Time.UTC(),
-			Status:     getStatus(tr.Status.Conditions),
-			Steps:      steps,
-			Invocation: attest.Invocation(tr, params, paramSpecs),
-			Results:    tr.Status.TaskRunResults,
+			Name:               t.Name,
+			After:              after,
+			StartedOn:          tr.Status.StartTime.Time.UTC(),
+			FinishedOn:         tr.Status.CompletionTime.Time.UTC(),
+			ServiceAccountName: pro.Spec.ServiceAccountName,
+			Status:             getStatus(tr.Status.Conditions),
+			Steps:              steps,
+			Invocation:         attest.Invocation(tr, params, paramSpecs),
+			Results:            tr.Status.TaskRunResults,
 		}
 
 		if t.TaskRef != nil {

pkg/chains/formats/slsa/v1/pipelinerun/provenance_test.go

@@ -94,9 +94,10 @@ func TestBuildConfig(t *testing.T) {
 					Name: "git-clone",
 					Kind: "ClusterTask",
 				},
-				StartedOn:  e1BuildStart,
-				FinishedOn: e1BuildFinished,
-				Status:     "Succeeded",
+				ServiceAccountName: "pipeline",
+				StartedOn:          e1BuildStart,
+				FinishedOn:         e1BuildFinished,
+				Status:             "Succeeded",
 				Steps: []attest.StepAttestation{
 					{
 						EntryPoint: "git clone",
@@ -148,9 +149,10 @@ func TestBuildConfig(t *testing.T) {
 					Name: "build",
 					Kind: "ClusterTask",
 				},
-				StartedOn:  e1BuildStart,
-				FinishedOn: e1BuildFinished,
-				Status:     "Succeeded",
+				StartedOn:          e1BuildStart,
+				FinishedOn:         e1BuildFinished,
+				ServiceAccountName: "pipeline",
+				Status:             "Succeeded",
 				Steps: []attest.StepAttestation{
 					{
 						EntryPoint: "",
@@ -285,9 +287,10 @@ func TestBuildConfigTaskOrder(t *testing.T) {
 							Name: "git-clone",
 							Kind: "ClusterTask",
 						},
-						StartedOn:  e1BuildStart,
-						FinishedOn: e1BuildFinished,
-						Status:     "Succeeded",
+						StartedOn:          e1BuildStart,
+						FinishedOn:         e1BuildFinished,
+						ServiceAccountName: "pipeline",
+						Status:             "Succeeded",
 						Steps: []attest.StepAttestation{
 							{
 								EntryPoint: "git clone",
@@ -341,9 +344,10 @@ func TestBuildConfigTaskOrder(t *testing.T) {
 							Name: "build",
 							Kind: "ClusterTask",
 						},
-						StartedOn:  e1BuildStart,
-						FinishedOn: e1BuildFinished,
-						Status:     "Succeeded",
+						StartedOn:          e1BuildStart,
+						FinishedOn:         e1BuildFinished,
+						ServiceAccountName: "pipeline",
+						Status:             "Succeeded",
 						Steps: []attest.StepAttestation{
 							{
 								EntryPoint: "",

test/testdata/slsa/v1/pipeline-output-image.json

@@ -28,6 +28,7 @@
                     "ref": {},
                     "startedOn": "{{index .BuildStartTimes 0}}",
                     "finishedOn": "{{index .BuildFinishedTimes 0}}",
+                    "serviceAccountName": "default",
                     "status": "Succeeded",
                     "steps": [
                         {