Continuous Integration Events
December 22, 2025 · View on GitHub
Continuous Integration (CI) events include the subject and predicates related to CI activities such as building software, producing artifacts and running tests.
Subjects
This specification defines two subjects in this stage: build and artifact. Events associated with these subjects are typically generated either by a CI system that orchestrates the process or by a specific build or test tool directly. Some artifact events may be generated by the system that stores the artifact as well.
| Subject | Description | Predicates |
|---|---|---|
build | A software build | queued, started, finished |
artifact | An artifact produced by a build | packaged, signed, published, downloaded, deleted |
testCase/testSuiteevents have moved to their own top-level bucket Testing Events
build
A build is a process that uses a recipe to produce an artifact from source code.
Note: The data model for build, apart from id and source, only includes the identifier of the artifact produced by the build. The inputs to the build process are not specified yet.
| Field | Type | Description | Examples |
|---|---|---|---|
| id | String | Uniquely identifies the subject within the source. | 1234, maven123, builds/taskrun123 |
| source | URI-Reference | source from the context | staging/tekton, tekton-dev-123 |
| artifactId | String | Identifier of the artifact produced by the build | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c |
artifact
An artifact is usually produced as output of a build process. Events need to be generated to indicate that an artifact has been packaged and released for others to use. These events can be produced by the artifact producer or by the artifact storage system.
| Field | Type | Description | Examples |
|---|---|---|---|
| id | String | See id | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c |
| source | URI-Reference | See source | staging/tekton, tekton-dev-123 |
| change | object | The change (tag, commit, revision) of the repository which was used to build the artifact" | {"id": "527d4a1aca5e8d0df24813df5ad65d049fc8d312", "source": "my-git.example/an-org/a-repo"}, {"id": "feature1234", "source": "my-git.example/an-org/a-repo"} |
| signature | string | The signature of the artifact | MEYCIQCBT8U5ypDXWCjlNKfzTV4KH516/SK13NZSh8znnSMNkQIhAJ3XiQlc9PM1KyjITcZXHotdMB+J3NGua5T/yshmiPmp |
| sbom | sbom | The Software Bill of Material (SBOM) associated with the artifact | {"uri": "https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom"} |
| user | string | The user who performed the predicate on the artifact registry. 1 | mybot-myapp |
Events
build queued
This event represents a Build task that has been queued; this build process usually is in charge of producing a binary from source code.
- Event Type:
dev.cdevents.build.queued.0.3.0 - Predicate: queued
- Subject:
build
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | String | See id | 1234, maven123, builds/taskrun123 | ✅ |
| source | URI-Reference | See source |
build started
This event represents a Build task that has been started; this build process usually is in charge of producing a binary from source code.
- Event Type:
dev.cdevents.build.started.0.3.0 - Predicate: started
- Subject:
build
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | String | See id | 1234, maven123, builds/taskrun123 | ✅ |
| source | URI-Reference | See source |
build finished
This event represents a Build task that has finished. This event will eventually contain the finished status, success, error or failure
- Event Type:
dev.cdevents.build.finished.0.3.0 - Predicate: finished
- Subject:
build
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | String | See id | 1234, maven123, builds/taskrun123 | ✅ |
| source | URI-Reference | See source | ||
| artifactId | Purl | Identifier of the artifact produced by the build | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c | build |
artifact packaged
The event represents an artifact that has been packaged for distribution; this artifact is now versioned with a fixed version. This event is usually produced by the build system. If an SBOM URI is available at this stage, it should be included.
- Event Type:
dev.cdevents.artifact.packaged.0.3.0 - Predicate: packaged
- Subject:
artifact
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | Purl | See id | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c | ✅ |
| source | URI-Reference | See source | ||
| change | object | The change (tag, commit, revision) of the repository which was used to build the artifact" | {"id": "527d4a1aca5e8d0df24813df5ad65d049fc8d312", "source": "my-git.example/an-org/a-repo"}, {"id": "feature1234", "source": "my-git.example/an-org/a-repo"} | ✅ |
| sbom | sbom | The Software Bill of Material (SBOM) associated with the artifact | {"uri": "https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom"} |
artifact signed
The event represents an artifact that has been signed. The signature is included in the events itself.
An artifact may be signed after it has been packaged or sometimes after it has published, depending on the tooling being used and the type of artifact. The artifact signed event is typically produced by the CI or build system.
- Event Type:
dev.cdevents.artifact.signed.0.3.0 - Predicate: signed
- Subject:
artifact
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | Purl | See id | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427?repository_url=mycr.io/myapp, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c | ✅ |
| source | URI-Reference | See source | ||
| signature | string | The signature of the artifact | MEYCIQCBT8U5ypDXWCjlNKfzTV4KH516/SK13NZSh8znnSMNkQIhAJ3XiQlc9PM1KyjITcZXHotdMB+J3NGua5T/yshmiPmp | ✅ |
artifact published
The event represents an artifact that has been published and it can be advertised for others to use.
The artifact published event is typically produced by the artifact registry, but it may also be produced by the build system.
- Event Type:
dev.cdevents.artifact.published.0.3.0 - Predicate: published
- Subject:
artifact
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | Purl | See id | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427?repository_url=mycr.io/myapp, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c | ✅ |
| source | URI-Reference | See source | ||
| user | String | The user who published to the artifact registry. 1 | mybot-myapp |
artifact downloaded
The event represents an artifact that has been downloaded from the registry.
The artifact downloaded event is preferably produced by the artifact registry.
- Event Type:
dev.cdevents.artifact.downloaded.0.2.0 - Predicate: downloaded
- Subject:
artifact
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | Purl | See id | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427?repository_url=mycr.io/myapp, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c | ✅ |
| source | URI-Reference | See source | ||
| user | String | The user who downloaded from the artifact registry. 1 | mybot-myapp |
artifact deleted
The event represents an artifact that has been deleted from an artifact registry.
The artifact deleted event is preferably produced by the artifact registry.
- Event Type:
dev.cdevents.artifact.deleted.0.2.0 - Predicate: deleted
- Subject:
artifact
| Field | Type | Description | Examples | Required |
|---|---|---|---|---|
| id | Purl | See id | pkg:oci/myapp@sha256%3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427?repository_url=mycr.io/myapp, pkg:golang/mygit.com/myorg/myapp@234fd47e07d1004f0aed9c | ✅ |
| source | URI-Reference | See source | ||
| user | String | The user who deleted from the artifact registry. 1 | mybot-myapp |
Objects
sbom
Several events reference a Software Bill of Materials (SBOM). In CDEvents SBOMs are represented via the sbom object, which is a reference to an externally hosted SBOM. The sbom object includes a single uri field, and is defined as an object to allow for more fields to be added in a backwards compatible manner in future.
| Field | Type | Description | Examples |
|---|---|---|---|
uri | URI-Reference | Link to an externally hosted SBOM. | https://sbom.storage.service/my-projects/3A0b31b1c02ff458ad9b7b81cbdf8f028bd54699fa151f221d1e8de6817db93427.sbom |
Footnotes
-
The actual format of
userdepends on the specific registry and authentication method used. If access to the artifact registry is obtained through a long lived token, this could be the name or description associated with the token at provisioning time. In case of an anonymous read operations, the user depends on the protocol used, a typically useful value would be the IP address of the client performing the read. ↩ ↩2 ↩3 ↩4