Story (Required)

As a OpenShift Pipelines user 

I should be able to see the  signed artifacts (Image, PipelineRun and TaskRun) uploaded to the oci registry even in case a where the serviceAccount used by PipelineRuns and TaskRuns have ImagePullSecrets + Secrets patched

So that the artifacts can be successfully verified

Background (Required)

This feature update gains importance in response to the issue faced by a Konflux user - https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1744617227416309?thread_ts=1742197805.874929&cid=C04PZ7H0VA8

Upstream issue created in this regards - https://github.com/tektoncd/chains/issues/1336 

Approach (Required)

Added in the upstream issue.

Dependencies

<Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

Acceptance Criteria (Mandatory)

• Even if the serviceAccount used by a PipelineRun or TaskRun includes both imagePullSecrets (includes credential with READ only permission) and secrets(includes credentials that have READ+WRITE permission) to the same registry, are the signed artifacts uploaded successfully?
• Are we able to verify the uploaded artifacts successfully?

INVEST Checklist

Dependencies identified

Blockers noted and expected delivery timelines set

Design is implementable

Acceptance criteria agreed upon

Story estimated

Legend

Unknown

Verified

Unsatisfied

Done Checklist

• Code is completed, reviewed, documented and checked in
• Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
• Continuous Delivery pipeline(s) is able to proceed with new code included
• Customer facing documentation, API docs etc. are produced/updated, reviewed and published
• Acceptance criteria are met