Add Bundles resolver for OCI artifacts

README.md

@@ -119,6 +119,9 @@ chisel run examples/resolvers/git-resolver-pipelinerun.yaml
 
 # Remote task loading via Hub resolver (Artifact Hub catalog)
 chisel run examples/resolvers/hub-resolver-pipelinerun.yaml
+
+# Remote task loading via Bundles resolver (OCI artifacts)
+chisel run examples/resolvers/bundles-resolver-pipelinerun.yaml
 ```
 
 ## Supported Features
@@ -147,6 +150,7 @@ chisel run examples/resolvers/hub-resolver-pipelinerun.yaml
 - [x] HTTP resolver (fetch tasks from HTTP/HTTPS URLs)
 - [x] Git resolver (clone repositories and load tasks from specific paths)
 - [x] Hub resolver (fetch tasks from Artifact Hub with catalog discovery)
+- [x] Bundles resolver (pull tasks from OCI registries as Tekton Bundles)
 
 ## Architecture
 

examples/resolvers/README.md

@@ -253,11 +253,107 @@ GET https://artifacthub.io/api/v1/packages/{catalog}/{name}/{version}
 
 Tasks are extracted from the `data.task` field in the JSON response.
 
-## Future Resolvers
+## Bundles Resolver (OCI Artifacts)
 
-The following resolvers are planned:
+The Bundles resolver fetches tasks from OCI registries as Tekton Bundles. This is the most production-ready approach for versioned task distribution.
 
-- **Bundles Resolver**: Pull tasks from OCI registries as Tekton Bundles
+### Example: Using Tekton Catalog Bundles
+
+```yaml
+taskRef:
+  resolver: bundles
+  params:
+  - name: bundle
+    value: gcr.io/tekton-releases/catalog/upstream/git-clone:0.9
+  - name: name
+    value: git-clone
+  - name: kind
+    value: task
+```
+
+### Run the example:
+
+```bash
+chisel run examples/resolvers/bundles-resolver-pipelinerun.yaml
+```
+
+This example:
+1. Fetches the `git-clone` task from Tekton Catalog via OCI bundle
+2. Fetches the `buildah` task from Tekton Catalog
+3. Demonstrates bundle-based task distribution
+
+### Bundles Resolver Parameters
+
+| Parameter | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `bundle` | Yes | - | OCI image reference (registry/image:tag or registry/image@digest) |
+| `name` | Yes | - | Task name to extract from bundle |
+| `kind` | No | `task` | Resource kind (`task` or `pipeline`) |
+
+### Features
+
+- **OCI Registry Support**: Works with any OCI-compliant registry (Docker Hub, GHCR, GCR, ECR, ACR)
+- **Authentication**: Uses `~/.docker/config.json` for registry credentials
+- **Content Addressing**: Supports both tags and SHA256 digests for immutable references
+- **Caching**: Bundles are cached by reference to avoid redundant pulls
+
+### Use Cases
+
+1. **Tekton Catalog Bundles**: Use official Tekton catalog tasks
+   ```yaml
+   taskRef:
+     resolver: bundles
+     params:
+     - name: bundle
+       value: gcr.io/tekton-releases/catalog/upstream/kaniko:0.6
+     - name: name
+       value: kaniko
+   ```
+
+2. **Private Registry**: Use your organization's private bundles
+   ```yaml
+   taskRef:
+     resolver: bundles
+     params:
+     - name: bundle
+       value: ghcr.io/myorg/tekton-tasks/security-scan:v1.2.0
+     - name: name
+       value: security-scan
+   ```
+
+3. **Immutable References**: Pin to specific digests for reproducibility
+   ```yaml
+   taskRef:
+     resolver: bundles
+     params:
+     - name: bundle
+       value: gcr.io/tekton-releases/catalog/upstream/git-clone@sha256:abc123...
+     - name: name
+       value: git-clone
+   ```
+
+### Authentication
+
+The Bundles resolver uses the standard Docker authentication:
+
+1. **Default**: Reads from `~/.docker/config.json`
+2. **Login**: Use `docker login registry.io` to authenticate
+3. **Environment**: Supports standard Docker credential helpers
+
+For private registries:
+```bash
+# Docker Hub
+docker login
+
+# GHCR (GitHub Container Registry)
+echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
+
+# GCR (Google Container Registry)
+gcloud auth configure-docker
+
+# ECR (AWS Container Registry)
+aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_REGISTRY
+```
 
 ## Combining Local and Remote Tasks
 

examples/resolvers/bundles-resolver-pipelinerun.yaml

@@ -0,0 +1,50 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: bundles-resolver-demo
+spec:
+  pipelineSpec:
+    tasks:
+    - name: clone-from-bundle
+      taskRef:
+        resolver: bundles
+        params:
+        - name: bundle
+          value: gcr.io/tekton-releases/catalog/upstream/git-clone:0.9
+        - name: name
+          value: git-clone
+        - name: kind
+          value: task
+      params:
+      - name: url
+        value: https://github.com/tektoncd/pipeline
+      - name: revision
+        value: main
+      workspaces:
+      - name: output
+        workspace: source
+
+    - name: build-from-bundle
+      taskRef:
+        resolver: bundles
+        params:
+        - name: bundle
+          value: gcr.io/tekton-releases/catalog/upstream/buildah:0.6
+        - name: name
+          value: buildah
+        - name: kind
+          value: task
+      params:
+      - name: IMAGE
+        value: localhost/myimage:latest
+      - name: DOCKERFILE
+        value: ./Dockerfile
+      workspaces:
+      - name: source
+        workspace: source
+      runAfter:
+      - clone-from-bundle
+
+  workspaces:
+  - name: source
+    emptyDir: {}

go.mod

@@ -5,6 +5,8 @@ go 1.25.5
 require (
 	dagger.io/dagger v0.19.10
 	github.com/charmbracelet/lipgloss v1.1.0
+	github.com/go-git/go-git/v5 v5.16.4
+	github.com/google/go-containerregistry v0.20.7
 	github.com/spf13/cobra v1.10.2
 	golang.org/x/term v0.39.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -24,11 +26,14 @@ require (
 	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.18.1 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/docker/cli v29.0.3+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-git/go-git/v5 v5.16.4 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
@@ -37,17 +42,22 @@ require (
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.18.1 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/sosodev/duration v1.3.1 // indirect
 	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/vbatts/tar-split v0.12.2 // indirect
 	github.com/vektah/gqlparser/v2 v2.5.30 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
@@ -69,7 +79,7 @@ require (
 	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
 	golang.org/x/crypto v0.42.0 // indirect
 	golang.org/x/net v0.44.0 // indirect
-	golang.org/x/sync v0.17.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect
 	golang.org/x/text v0.29.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect