From 8af1c1dd43dd705c939f1cdf527a70200e9bbc63 Mon Sep 17 00:00:00 2001
From: Chuang Wang <chuangw@google.com>
Date: Mon, 20 Mar 2023 16:22:53 -0700
Subject: [PATCH] Rename ConfigSource and Source to `RefSource`

Recently, we introduced a new field named provenance in TaskRun/PipelineRun CRD
status, and one of its subfields is named `ConfigSource`. Meanwhile, we introduced
`source` field into `ResolutionRequest` CRD status to pipe the value.

In this commit, we renamed both `configSource` and `source` to `RefSource`.

Reasoning: ConfigSource is the SLSA name and ties to a specific SLSA version.
It also makes this a leaky abstraction, i.e. we are naming fields in our API
after how we want to use them. Additionally, `config` isn't a concept that
exists in Tekton. Also the name `source` is too generic.

Backward compatibility: This PR doesn't remove the old field. Instead, it
keeps the old field while introducing the new name to give a release of warning.
The old name will be removed in future release for a smooth transition.

Signed-off-by: Chuang Wang <chuangw@google.com>
---
 docs/bundle-resolver.md                       |   4 +-
 docs/cluster-resolver.md                      |   4 +-
 docs/git-resolver.md                          |   4 +-
 docs/how-to-write-a-resolver.md               |  12 +-
 docs/pipeline-api.md                          | 255 +++++++++++-------
 .../cmd/demoresolver/main.go                  |   4 +-
 pkg/apis/pipeline/v1/openapi_generated.go     |  98 +++----
 pkg/apis/pipeline/v1/provenance.go            |  29 +-
 pkg/apis/pipeline/v1/swagger.json             |  54 ++--
 pkg/apis/pipeline/v1/zz_generated.deepcopy.go |  52 ++--
 .../pipeline/v1beta1/openapi_generated.go     |  88 +++++-
 .../v1beta1/pipelinerun_conversion_test.go    |   2 +-
 pkg/apis/pipeline/v1beta1/provenance.go       |  46 ++--
 .../pipeline/v1beta1/provenance_conversion.go |  20 +-
 pkg/apis/pipeline/v1beta1/swagger.json        |  56 +++-
 .../v1beta1/taskrun_conversion_test.go        |   2 +-
 .../pipeline/v1beta1/zz_generated.deepcopy.go |  28 ++
 .../v1alpha1/resolution_request_types.go      |   4 +-
 .../v1alpha1/zz_generated.deepcopy.go         |   6 +-
 .../v1beta1/resolution_request_types.go       |   7 +-
 .../v1beta1/zz_generated.deepcopy.go          |   5 +
 pkg/internal/resolution/resolved_meta.go      |   4 +-
 pkg/reconciler/pipelinerun/pipelinerun.go     |   9 +-
 .../pipelinerun/pipelinerun_test.go           |  13 +-
 .../pipelinerun/pipelinespec/pipelinespec.go  |  14 +-
 .../pipelinespec/pipelinespec_test.go         |  56 ++--
 .../pipelinerun/resources/pipelineref.go      |  32 +--
 .../pipelinerun/resources/pipelineref_test.go |  86 +++---
 .../resources/pipelinerunresolution.go        |   4 +-
 .../resources/pipelinerunresolution_test.go   |  18 +-
 pkg/reconciler/taskrun/resources/taskref.go   |  32 +--
 .../taskrun/resources/taskref_test.go         |  88 +++---
 pkg/reconciler/taskrun/resources/taskspec.go  |  14 +-
 .../taskrun/resources/taskspec_test.go        |  34 +--
 pkg/reconciler/taskrun/taskrun.go             |  11 +-
 pkg/reconciler/taskrun/taskrun_test.go        |  17 +-
 pkg/remote/oci/resolver.go                    |   2 +-
 pkg/remote/oci/resolver_test.go               |   6 +-
 pkg/remote/resolution/resolver.go             |   4 +-
 pkg/remote/resolution/resolver_test.go        |   6 +-
 pkg/remote/resolver.go                        |   4 +-
 pkg/resolution/resolver/bundle/bundle.go      |   8 +-
 .../resolver/bundle/resolver_test.go          |   3 +-
 pkg/resolution/resolver/cluster/resolver.go   |   6 +-
 .../resolver/cluster/resolver_test.go         |  24 ++
 .../resolver/framework/fakeresolver.go        |   6 +-
 .../resolver/framework/interface.go           |   2 +-
 .../resolver/framework/reconciler.go          |   4 +-
 .../resolver/framework/reconciler_test.go     |   9 +-
 pkg/resolution/resolver/git/resolver.go       |   6 +-
 pkg/resolution/resolver/git/resolver_test.go  |   5 +-
 pkg/resolution/resolver/hub/resolver.go       |   6 +-
 pkg/resolution/resource/crd_resource.go       |   4 +-
 pkg/resolution/resource/resource.go           |   2 +-
 pkg/trustedresources/verify.go                |  12 +-
 test/resolution.go                            |  14 +-
 test/status_test.go                           |  12 +-
 57 files changed, 813 insertions(+), 544 deletions(-)

diff --git a/docs/bundle-resolver.md b/docs/bundle-resolver.md
index c25393ed18e..90fbad1d5ac 100644
--- a/docs/bundle-resolver.md
+++ b/docs/bundle-resolver.md
@@ -89,7 +89,7 @@ spec:
 ```
 
 ## `ResolutionRequest` Status
-`ResolutionRequest.Status.Source` field captures the source where the remote resource came from. It includes the 3 subfields: `url`, `digest` and `entrypoint`.
+`ResolutionRequest.Status.RefSource` field captures the source where the remote resource came from. It includes the 3 subfields: `url`, `digest` and `entrypoint`.
 - `uri`: The image repository URI
 - `digest`: The map of the algorithm portion -> the hex encoded portion of the image digest.
 - `entrypoint`: The resource name in the OCI bundle image.
@@ -148,7 +148,7 @@ status:
   ...
   data: xxx
   observedGeneration: 1
-  source:
+  refSource:
     digest:
       sha256: f51ca50f1c065acba8290ef14adec8461915ecc5f70a8eb26190c6e8e0ededaf
     entryPoint: git-clone
diff --git a/docs/cluster-resolver.md b/docs/cluster-resolver.md
index 7dc656b67b3..c97bbc955fb 100644
--- a/docs/cluster-resolver.md
+++ b/docs/cluster-resolver.md
@@ -82,7 +82,7 @@ spec:
 ```
 
 ## `ResolutionRequest` Status
-`ResolutionRequest.Status.Source` field captures the source where the remote resource came from. It includes the 3 subfields: `url`, `digest` and `entrypoint`.
+`ResolutionRequest.Status.RefSource` field captures the source where the remote resource came from. It includes the 3 subfields: `url`, `digest` and `entrypoint`.
 - `url`: url is the unique full identifier for the resource in the cluster. It is in the format of `<resource uri>@<uid>`. Resource URI part is the namespace-scoped uri i.e. `/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME`. See [K8s Resource URIs](https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-uris) for more details.
 - `digest`: hex-encoded sha256 checksum of the content in the in-cluster resource's spec field. The reason why it's the checksum of the spec content rather than the whole object is because the metadata of in-cluster resources might be modified i.e. annotations. Therefore, the checksum of the spec content should be sufficient for source verifiers to verify if things have been changed maliciously even though the metadata is modified with good intentions.
 - `entrypoint`: ***empty*** because the path information is already available in the url field.
@@ -130,7 +130,7 @@ status:
   annotations: ...
   conditions: ...
   data: xxx
-  source:
+  refSource:
     digest:
       sha256: 245b1aa918434cc8195b4d4d026f2e43df09199e2ed31d4dfd9c2cbea1c7ce54
     uri: /apis/tekton.dev/v1beta1/namespaces/default/task/a-simple-task@3b82d8c4-f89e-47ea-a49d-3be0dca4c038
diff --git a/docs/git-resolver.md b/docs/git-resolver.md
index d0e7348d07f..9a82e83b749 100644
--- a/docs/git-resolver.md
+++ b/docs/git-resolver.md
@@ -155,7 +155,7 @@ spec:
 ```
 
 ## `ResolutionRequest` Status
-`ResolutionRequest.Status.Source` field captures the source where the remote resource came from. It includes the 3 subfields: `url`, `digest` and `entrypoint`.
+`ResolutionRequest.Status.RefSource` field captures the source where the remote resource came from. It includes the 3 subfields: `url`, `digest` and `entrypoint`.
 - `url`
   - If users choose to use anonymous cloning, the url is just user-provided value for the `url` param in the [SPDX download format](https://spdx.github.io/spdx-spec/package-information/#77-package-download-location-field). 
   - If scm api is used, it would be the clone URL of the repo fetched from scm repository service in the [SPDX download format](https://spdx.github.io/spdx-spec/package-information/#77-package-download-location-field). 
@@ -195,7 +195,7 @@ spec:
     revision: main
     url: https://github.com/<username>/<reponame>.git
 status:
-  source:
+  refSource:
     uri: git+https://github.com/<username>/<reponame>.git
     digest:
       sha1: <The latest commit sha on main at the moment of resolving>
diff --git a/docs/how-to-write-a-resolver.md b/docs/how-to-write-a-resolver.md
index 5afb80c482b..c9cf63534ac 100644
--- a/docs/how-to-write-a-resolver.md
+++ b/docs/how-to-write-a-resolver.md
@@ -267,23 +267,23 @@ func (*myResolvedResource) Annotations() map[string]string {
   return nil
 }
 
-// Source is the source reference of the remote data that records where the remote 
+// RefSource is the source reference of the remote data that records where the remote 
 // file came from including the url, digest and the entrypoint. None atm.
-func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
+func (*myResolvedResource) RefSource() *pipelinev1beta1.RefSource {
 	return nil
 }
 ```
 
 Best practice: In order to enable Tekton Chains to record the source 
 information of the remote data in the SLSA provenance, the resolver should 
-implement the `Source()` method to return a correct ConfigSource value. See the 
+implement the `RefSource()` method to return a correct RefSource value. See the 
 following example.
 
 ```go
-// Source is the source reference of the remote data that records where the remote 
+// RefSource is the source reference of the remote data that records where the remote 
 // file came from including the url, digest and the entrypoint.
-func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
-	return &v1alpha1.ConfigSource{
+func (*myResolvedResource) RefSource() *pipelinev1beta1.RefSource {
+	return &v1alpha1.RefSource{
 		URI: "https://github.com/user/example",
 		Digest: map[string]string{
 			"sha1": "example",
diff --git a/docs/pipeline-api.md b/docs/pipeline-api.md
index 176b6999d41..9b20a14060e 100644
--- a/docs/pipeline-api.md
+++ b/docs/pipeline-api.md
@@ -223,15 +223,15 @@ object.</p>
 </tr>
 <tr>
 <td>
-<code>source</code><br/>
+<code>refSource</code><br/>
 <em>
-<a href="#tekton.dev/v1beta1.ConfigSource">
-ConfigSource
+<a href="#tekton.dev/v1beta1.RefSource">
+RefSource
 </a>
 </em>
 </td>
 <td>
-<p>Source is the source reference of the remote data that records where the remote
+<p>RefSource is the source reference of the remote data that records where the remote
 file came from including the url, digest and the entrypoint.</p>
 </td>
 </tr>
@@ -449,7 +449,20 @@ ConfigSource
 </em>
 </td>
 <td>
-<p>Source is the source reference of the remote data that records the url, digest
+<p>Deprecated: Use RefSource instead</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>refSource</code><br/>
+<em>
+<a href="#tekton.dev/v1beta1.RefSource">
+RefSource
+</a>
+</em>
+</td>
+<td>
+<p>RefSource is the source reference of the remote data that records the url, digest
 and the entrypoint.</p>
 </td>
 </tr>
@@ -1330,66 +1343,6 @@ string
 <div>
 <p>Combinations is a Combination list</p>
 </div>
-<h3 id="tekton.dev/v1.ConfigSource">ConfigSource
-</h3>
-<p>
-(<em>Appears on:</em><a href="#tekton.dev/v1.Provenance">Provenance</a>)
-</p>
-<div>
-<p>ConfigSource identifies the source where a resource came from.
-This can include Git repositories, Task Bundles, file checksums, or other information
-that allows users to identify where the resource came from and what version was used.</p>
-</div>
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>uri</code><br/>
-<em>
-string
-</em>
-</td>
-<td>
-<p>URI indicates the identity of the source of the config.
-Definition: <a href="https://slsa.dev/provenance/v0.2#invocation.configSource.uri">https://slsa.dev/provenance/v0.2#invocation.configSource.uri</a>
-Example: &ldquo;<a href="https://github.com/tektoncd/catalog&quot;">https://github.com/tektoncd/catalog&rdquo;</a></p>
-</td>
-</tr>
-<tr>
-<td>
-<code>digest</code><br/>
-<em>
-map[string]string
-</em>
-</td>
-<td>
-<p>Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
-Definition: <a href="https://slsa.dev/provenance/v0.2#invocation.configSource.digest">https://slsa.dev/provenance/v0.2#invocation.configSource.digest</a>
-Example: {&ldquo;sha1&rdquo;: &ldquo;f99d13e554ffcb696dee719fa85b695cb5b0f428&rdquo;}</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>entryPoint</code><br/>
-<em>
-string
-</em>
-</td>
-<td>
-<p>EntryPoint identifies the entry point into the build. This is often a path to a
-configuration file and/or a target label within that file.
-Definition: <a href="https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint">https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint</a>
-Example: &ldquo;task/git-clone/0.8/git-clone.yaml&rdquo;</p>
-</td>
-</tr>
-</tbody>
-</table>
 <h3 id="tekton.dev/v1.EmbeddedTask">EmbeddedTask
 </h3>
 <p>
@@ -3070,12 +3023,10 @@ ParamType
 (<em>Appears on:</em><a href="#tekton.dev/v1.PipelineRunStatusFields">PipelineRunStatusFields</a>, <a href="#tekton.dev/v1.TaskRunStatusFields">TaskRunStatusFields</a>)
 </p>
 <div>
-<p>Provenance contains some key authenticated metadata about how a software artifact was
-built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield
-<code>ConfigSource</code> that identifies the source where a build config file came from.
-In future, it can be expanded as needed to include more metadata about the build.
-This field aims to be used to carry minimum amount of the authenticated metadata in *Run status
-so that Tekton Chains can pick it up and record in the provenance it generates.</p>
+<p>Provenance contains metadata about resources used in the TaskRun/PipelineRun
+such as the source from where a remote build definition was fetched.
+This field aims to carry minimum amoumt of metadata in *Run status so that
+Tekton Chains can capture them in the provenance.</p>
 </div>
 <table>
 <thead>
@@ -3087,15 +3038,15 @@ so that Tekton Chains can pick it up and record in the provenance it generates.<
 <tbody>
 <tr>
 <td>
-<code>configSource</code><br/>
+<code>refSource</code><br/>
 <em>
-<a href="#tekton.dev/v1.ConfigSource">
-ConfigSource
+<a href="#tekton.dev/v1.RefSource">
+RefSource
 </a>
 </em>
 </td>
 <td>
-<p>ConfigSource identifies the source where a resource came from.</p>
+<p>RefSource identifies the source where a remote task/pipeline came from.</p>
 </td>
 </tr>
 <tr>
@@ -3111,6 +3062,63 @@ github.com/tektoncd/pipeline/pkg/apis/config.FeatureFlags
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1.RefSource">RefSource
+</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1.Provenance">Provenance</a>)
+</p>
+<div>
+<p>RefSource contains the information that can uniquely identify where a remote
+built definition came from i.e. Git repositories, Tekton Bundles in OCI registry
+and hub.</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>uri</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>URI indicates the identity of the source of the build definition.
+Example: &ldquo;<a href="https://github.com/tektoncd/catalog&quot;">https://github.com/tektoncd/catalog&rdquo;</a></p>
+</td>
+</tr>
+<tr>
+<td>
+<code>digest</code><br/>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<p>Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+Example: {&ldquo;sha1&rdquo;: &ldquo;f99d13e554ffcb696dee719fa85b695cb5b0f428&rdquo;}</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>entryPoint</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>EntryPoint identifies the entry point into the build. This is often a path to a
+build definition file and/or a target label within that file.
+Example: &ldquo;task/git-clone/0.8/git-clone.yaml&rdquo;</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tekton.dev/v1.ResolverName">ResolverName
 (<code>string</code> alias)</h3>
 <p>
@@ -8234,12 +8242,12 @@ int32
 <h3 id="tekton.dev/v1beta1.ConfigSource">ConfigSource
 </h3>
 <p>
-(<em>Appears on:</em><a href="#tekton.dev/v1beta1.Provenance">Provenance</a>, <a href="#resolution.tekton.dev/v1alpha1.ResolutionRequestStatusFields">ResolutionRequestStatusFields</a>, <a href="#resolution.tekton.dev/v1beta1.ResolutionRequestStatusFields">ResolutionRequestStatusFields</a>)
+(<em>Appears on:</em><a href="#tekton.dev/v1beta1.Provenance">Provenance</a>, <a href="#resolution.tekton.dev/v1beta1.ResolutionRequestStatusFields">ResolutionRequestStatusFields</a>)
 </p>
 <div>
-<p>ConfigSource identifies the source where a resource came from.
-This can include Git repositories, Task Bundles, file checksums, or other information
-that allows users to identify where the resource came from and what version was used.</p>
+<p>ConfigSource contains the information that can uniquely identify where a remote
+built definition came from i.e. Git repositories, Tekton Bundles in OCI registry
+and hub.</p>
 </div>
 <table>
 <thead>
@@ -8257,8 +8265,7 @@ string
 </em>
 </td>
 <td>
-<p>URI indicates the identity of the source of the config.
-Definition: <a href="https://slsa.dev/provenance/v0.2#invocation.configSource.uri">https://slsa.dev/provenance/v0.2#invocation.configSource.uri</a>
+<p>URI indicates the identity of the source of the build definition.
 Example: &ldquo;<a href="https://github.com/tektoncd/catalog&quot;">https://github.com/tektoncd/catalog&rdquo;</a></p>
 </td>
 </tr>
@@ -8271,7 +8278,6 @@ map[string]string
 </td>
 <td>
 <p>Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
-Definition: <a href="https://slsa.dev/provenance/v0.2#invocation.configSource.digest">https://slsa.dev/provenance/v0.2#invocation.configSource.digest</a>
 Example: {&ldquo;sha1&rdquo;: &ldquo;f99d13e554ffcb696dee719fa85b695cb5b0f428&rdquo;}</p>
 </td>
 </tr>
@@ -8284,8 +8290,7 @@ string
 </td>
 <td>
 <p>EntryPoint identifies the entry point into the build. This is often a path to a
-configuration file and/or a target label within that file.
-Definition: <a href="https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint">https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint</a>
+build definition file and/or a target label within that file.
 Example: &ldquo;task/git-clone/0.8/git-clone.yaml&rdquo;</p>
 </td>
 </tr>
@@ -10233,12 +10238,10 @@ ParamType
 (<em>Appears on:</em><a href="#tekton.dev/v1beta1.PipelineRunStatusFields">PipelineRunStatusFields</a>, <a href="#tekton.dev/v1beta1.TaskRunStatusFields">TaskRunStatusFields</a>)
 </p>
 <div>
-<p>Provenance contains some key authenticated metadata about how a software artifact was
-built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield
-<code>ConfigSource</code> that identifies the source where a build config file came from.
-In future, it can be expanded as needed to include more metadata about the build.
-This field aims to be used to carry minimum amount of the authenticated metadata in *Run status
-so that Tekton Chains can pick it up and record in the provenance it generates.</p>
+<p>Provenance contains metadata about resources used in the TaskRun/PipelineRun
+such as the source from where a remote build definition was fetched.
+This field aims to carry minimum amoumt of metadata in *Run status so that
+Tekton Chains can capture them in the provenance.</p>
 </div>
 <table>
 <thead>
@@ -10258,7 +10261,20 @@ ConfigSource
 </em>
 </td>
 <td>
-<p>ConfigSource identifies the source where a resource came from.</p>
+<p>Deprecated: Use RefSource instead</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>refSource</code><br/>
+<em>
+<a href="#tekton.dev/v1beta1.RefSource">
+RefSource
+</a>
+</em>
+</td>
+<td>
+<p>RefSource identifies the source where a remote task/pipeline came from.</p>
 </td>
 </tr>
 <tr>
@@ -10274,6 +10290,63 @@ github.com/tektoncd/pipeline/pkg/apis/config.FeatureFlags
 </tr>
 </tbody>
 </table>
+<h3 id="tekton.dev/v1beta1.RefSource">RefSource
+</h3>
+<p>
+(<em>Appears on:</em><a href="#tekton.dev/v1beta1.Provenance">Provenance</a>, <a href="#resolution.tekton.dev/v1alpha1.ResolutionRequestStatusFields">ResolutionRequestStatusFields</a>, <a href="#resolution.tekton.dev/v1beta1.ResolutionRequestStatusFields">ResolutionRequestStatusFields</a>)
+</p>
+<div>
+<p>RefSource contains the information that can uniquely identify where a remote
+built definition came from i.e. Git repositories, Tekton Bundles in OCI registry
+and hub.</p>
+</div>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>uri</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>URI indicates the identity of the source of the build definition.
+Example: &ldquo;<a href="https://github.com/tektoncd/catalog&quot;">https://github.com/tektoncd/catalog&rdquo;</a></p>
+</td>
+</tr>
+<tr>
+<td>
+<code>digest</code><br/>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<p>Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+Example: {&ldquo;sha1&rdquo;: &ldquo;f99d13e554ffcb696dee719fa85b695cb5b0f428&rdquo;}</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>entryPoint</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>EntryPoint identifies the entry point into the build. This is often a path to a
+build definition file and/or a target label within that file.
+Example: &ldquo;task/git-clone/0.8/git-clone.yaml&rdquo;</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="tekton.dev/v1beta1.ResolverName">ResolverName
 (<code>string</code> alias)</h3>
 <p>
diff --git a/docs/resolver-template/cmd/demoresolver/main.go b/docs/resolver-template/cmd/demoresolver/main.go
index b2e1caad3dc..89ebe801194 100644
--- a/docs/resolver-template/cmd/demoresolver/main.go
+++ b/docs/resolver-template/cmd/demoresolver/main.go
@@ -93,8 +93,8 @@ func (*myResolvedResource) Annotations() map[string]string {
 	return nil
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint. None atm.
-func (*myResolvedResource) Source() *pipelinev1beta1.ConfigSource {
+func (*myResolvedResource) RefSource() *pipelinev1beta1.RefSource {
 	return nil
 }
diff --git a/pkg/apis/pipeline/v1/openapi_generated.go b/pkg/apis/pipeline/v1/openapi_generated.go
index 7215742d812..2f6490e1e4c 100644
--- a/pkg/apis/pipeline/v1/openapi_generated.go
+++ b/pkg/apis/pipeline/v1/openapi_generated.go
@@ -33,7 +33,6 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/pod.AffinityAssistantTemplate":   schema_pkg_apis_pipeline_pod_AffinityAssistantTemplate(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/pod.Template":                    schema_pkg_apis_pipeline_pod_Template(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ChildStatusReference":         schema_pkg_apis_pipeline_v1_ChildStatusReference(ref),
-		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ConfigSource":                 schema_pkg_apis_pipeline_v1_ConfigSource(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.EmbeddedTask":                 schema_pkg_apis_pipeline_v1_EmbeddedTask(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.IncludeParams":                schema_pkg_apis_pipeline_v1_IncludeParams(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Matrix":                       schema_pkg_apis_pipeline_v1_Matrix(ref),
@@ -62,6 +61,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PipelineWorkspaceDeclaration": schema_pkg_apis_pipeline_v1_PipelineWorkspaceDeclaration(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.PropertySpec":                 schema_pkg_apis_pipeline_v1_PropertySpec(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Provenance":                   schema_pkg_apis_pipeline_v1_Provenance(ref),
+		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.RefSource":                    schema_pkg_apis_pipeline_v1_RefSource(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ResolverRef":                  schema_pkg_apis_pipeline_v1_ResolverRef(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ResultRef":                    schema_pkg_apis_pipeline_v1_ResultRef(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.Sidecar":                      schema_pkg_apis_pipeline_v1_Sidecar(ref),
@@ -440,49 +440,6 @@ func schema_pkg_apis_pipeline_v1_ChildStatusReference(ref common.ReferenceCallba
 	}
 }
 
-func schema_pkg_apis_pipeline_v1_ConfigSource(ref common.ReferenceCallback) common.OpenAPIDefinition {
-	return common.OpenAPIDefinition{
-		Schema: spec.Schema{
-			SchemaProps: spec.SchemaProps{
-				Description: "ConfigSource identifies the source where a resource came from. This can include Git repositories, Task Bundles, file checksums, or other information that allows users to identify where the resource came from and what version was used.",
-				Type:        []string{"object"},
-				Properties: map[string]spec.Schema{
-					"uri": {
-						SchemaProps: spec.SchemaProps{
-							Description: "URI indicates the identity of the source of the config. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri Example: \"https://github.com/tektoncd/catalog\"",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-					"digest": {
-						SchemaProps: spec.SchemaProps{
-							Description: "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
-							Type:        []string{"object"},
-							AdditionalProperties: &spec.SchemaOrBool{
-								Allows: true,
-								Schema: &spec.Schema{
-									SchemaProps: spec.SchemaProps{
-										Default: "",
-										Type:    []string{"string"},
-										Format:  "",
-									},
-								},
-							},
-						},
-					},
-					"entryPoint": {
-						SchemaProps: spec.SchemaProps{
-							Description: "EntryPoint identifies the entry point into the build. This is often a path to a configuration file and/or a target label within that file. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint Example: \"task/git-clone/0.8/git-clone.yaml\"",
-							Type:        []string{"string"},
-							Format:      "",
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
 func schema_pkg_apis_pipeline_v1_EmbeddedTask(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
@@ -2156,13 +2113,13 @@ func schema_pkg_apis_pipeline_v1_Provenance(ref common.ReferenceCallback) common
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield `ConfigSource` that identifies the source where a build config file came from. In future, it can be expanded as needed to include more metadata about the build. This field aims to be used to carry minimum amount of the authenticated metadata in *Run status so that Tekton Chains can pick it up and record in the provenance it generates.",
+				Description: "Provenance contains metadata about resources used in the TaskRun/PipelineRun such as the source from where a remote build definition was fetched. This field aims to carry minimum amoumt of metadata in *Run status so that Tekton Chains can capture them in the provenance.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
-					"configSource": {
+					"refSource": {
 						SchemaProps: spec.SchemaProps{
-							Description: "ConfigSource identifies the source where a resource came from.",
-							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ConfigSource"),
+							Description: "RefSource identifies the source where a remote task/pipeline came from.",
+							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.RefSource"),
 						},
 					},
 					"featureFlags": {
@@ -2175,7 +2132,50 @@ func schema_pkg_apis_pipeline_v1_Provenance(ref common.ReferenceCallback) common
 			},
 		},
 		Dependencies: []string{
-			"github.com/tektoncd/pipeline/pkg/apis/config.FeatureFlags", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.ConfigSource"},
+			"github.com/tektoncd/pipeline/pkg/apis/config.FeatureFlags", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1.RefSource"},
+	}
+}
+
+func schema_pkg_apis_pipeline_v1_RefSource(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "RefSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"uri": {
+						SchemaProps: spec.SchemaProps{
+							Description: "URI indicates the identity of the source of the build definition. Example: \"https://github.com/tektoncd/catalog\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"digest": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+					"entryPoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "EntryPoint identifies the entry point into the build. This is often a path to a build definition file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
 	}
 }
 
diff --git a/pkg/apis/pipeline/v1/provenance.go b/pkg/apis/pipeline/v1/provenance.go
index 2539f97bda3..de9f2a5c5d8 100644
--- a/pkg/apis/pipeline/v1/provenance.go
+++ b/pkg/apis/pipeline/v1/provenance.go
@@ -15,37 +15,32 @@ package v1
 
 import "github.com/tektoncd/pipeline/pkg/apis/config"
 
-// Provenance contains some key authenticated metadata about how a software artifact was
-// built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield
-// `ConfigSource` that identifies the source where a build config file came from.
-// In future, it can be expanded as needed to include more metadata about the build.
-// This field aims to be used to carry minimum amount of the authenticated metadata in *Run status
-// so that Tekton Chains can pick it up and record in the provenance it generates.
+// Provenance contains metadata about resources used in the TaskRun/PipelineRun
+// such as the source from where a remote build definition was fetched.
+// This field aims to carry minimum amoumt of metadata in *Run status so that
+// Tekton Chains can capture them in the provenance.
 type Provenance struct {
-	// ConfigSource identifies the source where a resource came from.
-	ConfigSource *ConfigSource `json:"configSource,omitempty"`
+	// RefSource identifies the source where a remote task/pipeline came from.
+	RefSource *RefSource `json:"refSource,omitempty"`
 
 	// FeatureFlags identifies the feature flags that were used during the task/pipeline run
 	FeatureFlags *config.FeatureFlags `json:"featureFlags,omitempty"`
 }
 
-// ConfigSource identifies the source where a resource came from.
-// This can include Git repositories, Task Bundles, file checksums, or other information
-// that allows users to identify where the resource came from and what version was used.
-type ConfigSource struct {
-	// URI indicates the identity of the source of the config.
-	// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri
+// RefSource contains the information that can uniquely identify where a remote
+// built definition came from i.e. Git repositories, Tekton Bundles in OCI registry
+// and hub.
+type RefSource struct {
+	// URI indicates the identity of the source of the build definition.
 	// Example: "https://github.com/tektoncd/catalog"
 	URI string `json:"uri,omitempty"`
 
 	// Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
-	// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest
 	// Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
 	Digest map[string]string `json:"digest,omitempty"`
 
 	// EntryPoint identifies the entry point into the build. This is often a path to a
-	// configuration file and/or a target label within that file.
-	// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint
+	// build definition file and/or a target label within that file.
 	// Example: "task/git-clone/0.8/git-clone.yaml"
 	EntryPoint string `json:"entryPoint,omitempty"`
 }
diff --git a/pkg/apis/pipeline/v1/swagger.json b/pkg/apis/pipeline/v1/swagger.json
index a271e73570a..7fc5e3cf256 100644
--- a/pkg/apis/pipeline/v1/swagger.json
+++ b/pkg/apis/pipeline/v1/swagger.json
@@ -180,28 +180,6 @@
         }
       }
     },
-    "v1.ConfigSource": {
-      "description": "ConfigSource identifies the source where a resource came from. This can include Git repositories, Task Bundles, file checksums, or other information that allows users to identify where the resource came from and what version was used.",
-      "type": "object",
-      "properties": {
-        "digest": {
-          "description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
-          "type": "object",
-          "additionalProperties": {
-            "type": "string",
-            "default": ""
-          }
-        },
-        "entryPoint": {
-          "description": "EntryPoint identifies the entry point into the build. This is often a path to a configuration file and/or a target label within that file. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint Example: \"task/git-clone/0.8/git-clone.yaml\"",
-          "type": "string"
-        },
-        "uri": {
-          "description": "URI indicates the identity of the source of the config. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri Example: \"https://github.com/tektoncd/catalog\"",
-          "type": "string"
-        }
-      }
-    },
     "v1.EmbeddedTask": {
       "description": "EmbeddedTask is used to define a Task inline within a Pipeline's PipelineTasks.",
       "type": "object",
@@ -1074,16 +1052,38 @@
       }
     },
     "v1.Provenance": {
-      "description": "Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield `ConfigSource` that identifies the source where a build config file came from. In future, it can be expanded as needed to include more metadata about the build. This field aims to be used to carry minimum amount of the authenticated metadata in *Run status so that Tekton Chains can pick it up and record in the provenance it generates.",
+      "description": "Provenance contains metadata about resources used in the TaskRun/PipelineRun such as the source from where a remote build definition was fetched. This field aims to carry minimum amoumt of metadata in *Run status so that Tekton Chains can capture them in the provenance.",
       "type": "object",
       "properties": {
-        "configSource": {
-          "description": "ConfigSource identifies the source where a resource came from.",
-          "$ref": "#/definitions/v1.ConfigSource"
-        },
         "featureFlags": {
           "description": "FeatureFlags identifies the feature flags that were used during the task/pipeline run",
           "$ref": "#/definitions/github.com.tektoncd.pipeline.pkg.apis.config.FeatureFlags"
+        },
+        "refSource": {
+          "description": "RefSource identifies the source where a remote task/pipeline came from.",
+          "$ref": "#/definitions/v1.RefSource"
+        }
+      }
+    },
+    "v1.RefSource": {
+      "description": "RefSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.",
+      "type": "object",
+      "properties": {
+        "digest": {
+          "description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+          "type": "object",
+          "additionalProperties": {
+            "type": "string",
+            "default": ""
+          }
+        },
+        "entryPoint": {
+          "description": "EntryPoint identifies the entry point into the build. This is often a path to a build definition file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
+          "type": "string"
+        },
+        "uri": {
+          "description": "URI indicates the identity of the source of the build definition. Example: \"https://github.com/tektoncd/catalog\"",
+          "type": "string"
         }
       }
     },
diff --git a/pkg/apis/pipeline/v1/zz_generated.deepcopy.go b/pkg/apis/pipeline/v1/zz_generated.deepcopy.go
index 7b0b58c4501..b3d0969129b 100644
--- a/pkg/apis/pipeline/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/pipeline/v1/zz_generated.deepcopy.go
@@ -104,29 +104,6 @@ func (in Combinations) DeepCopy() Combinations {
 	return *out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ConfigSource) DeepCopyInto(out *ConfigSource) {
-	*out = *in
-	if in.Digest != nil {
-		in, out := &in.Digest, &out.Digest
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigSource.
-func (in *ConfigSource) DeepCopy() *ConfigSource {
-	if in == nil {
-		return nil
-	}
-	out := new(ConfigSource)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EmbeddedTask) DeepCopyInto(out *EmbeddedTask) {
 	*out = *in
@@ -998,9 +975,9 @@ func (in *PropertySpec) DeepCopy() *PropertySpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Provenance) DeepCopyInto(out *Provenance) {
 	*out = *in
-	if in.ConfigSource != nil {
-		in, out := &in.ConfigSource, &out.ConfigSource
-		*out = new(ConfigSource)
+	if in.RefSource != nil {
+		in, out := &in.RefSource, &out.RefSource
+		*out = new(RefSource)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.FeatureFlags != nil {
@@ -1021,6 +998,29 @@ func (in *Provenance) DeepCopy() *Provenance {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RefSource) DeepCopyInto(out *RefSource) {
+	*out = *in
+	if in.Digest != nil {
+		in, out := &in.Digest, &out.Digest
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefSource.
+func (in *RefSource) DeepCopy() *RefSource {
+	if in == nil {
+		return nil
+	}
+	out := new(RefSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolverRef) DeepCopyInto(out *ResolverRef) {
 	*out = *in
diff --git a/pkg/apis/pipeline/v1beta1/openapi_generated.go b/pkg/apis/pipeline/v1beta1/openapi_generated.go
index c4ebbdcf945..cbe66687b1c 100644
--- a/pkg/apis/pipeline/v1beta1/openapi_generated.go
+++ b/pkg/apis/pipeline/v1beta1/openapi_generated.go
@@ -70,6 +70,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.PipelineWorkspaceDeclaration":    schema_pkg_apis_pipeline_v1beta1_PipelineWorkspaceDeclaration(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.PropertySpec":                    schema_pkg_apis_pipeline_v1beta1_PropertySpec(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Provenance":                      schema_pkg_apis_pipeline_v1beta1_Provenance(ref),
+		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource":                       schema_pkg_apis_pipeline_v1beta1_RefSource(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ResolverRef":                     schema_pkg_apis_pipeline_v1beta1_ResolverRef(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ResultRef":                       schema_pkg_apis_pipeline_v1beta1_ResultRef(ref),
 		"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.Sidecar":                         schema_pkg_apis_pipeline_v1beta1_Sidecar(ref),
@@ -620,19 +621,19 @@ func schema_pkg_apis_pipeline_v1beta1_ConfigSource(ref common.ReferenceCallback)
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "ConfigSource identifies the source where a resource came from. This can include Git repositories, Task Bundles, file checksums, or other information that allows users to identify where the resource came from and what version was used.",
+				Description: "ConfigSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"uri": {
 						SchemaProps: spec.SchemaProps{
-							Description: "URI indicates the identity of the source of the config. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri Example: \"https://github.com/tektoncd/catalog\"",
+							Description: "URI indicates the identity of the source of the build definition. Example: \"https://github.com/tektoncd/catalog\"",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"digest": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+							Description: "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
 							Type:        []string{"object"},
 							AdditionalProperties: &spec.SchemaOrBool{
 								Allows: true,
@@ -648,7 +649,7 @@ func schema_pkg_apis_pipeline_v1beta1_ConfigSource(ref common.ReferenceCallback)
 					},
 					"entryPoint": {
 						SchemaProps: spec.SchemaProps{
-							Description: "EntryPoint identifies the entry point into the build. This is often a path to a configuration file and/or a target label within that file. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint Example: \"task/git-clone/0.8/git-clone.yaml\"",
+							Description: "EntryPoint identifies the entry point into the build. This is often a path to a build definition file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
 							Type:        []string{"string"},
 							Format:      "",
 						},
@@ -2654,15 +2655,21 @@ func schema_pkg_apis_pipeline_v1beta1_Provenance(ref common.ReferenceCallback) c
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield `ConfigSource` that identifies the source where a build config file came from. In future, it can be expanded as needed to include more metadata about the build. This field aims to be used to carry minimum amount of the authenticated metadata in *Run status so that Tekton Chains can pick it up and record in the provenance it generates.",
+				Description: "Provenance contains metadata about resources used in the TaskRun/PipelineRun such as the source from where a remote build definition was fetched. This field aims to carry minimum amoumt of metadata in *Run status so that Tekton Chains can capture them in the provenance.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"configSource": {
 						SchemaProps: spec.SchemaProps{
-							Description: "ConfigSource identifies the source where a resource came from.",
+							Description: "Deprecated: Use RefSource instead",
 							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource"),
 						},
 					},
+					"refSource": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RefSource identifies the source where a remote task/pipeline came from.",
+							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource"),
+						},
+					},
 					"featureFlags": {
 						SchemaProps: spec.SchemaProps{
 							Description: "FeatureFlags identifies the feature flags that were used during the task/pipeline run",
@@ -2673,7 +2680,50 @@ func schema_pkg_apis_pipeline_v1beta1_Provenance(ref common.ReferenceCallback) c
 			},
 		},
 		Dependencies: []string{
-			"github.com/tektoncd/pipeline/pkg/apis/config.FeatureFlags", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource"},
+			"github.com/tektoncd/pipeline/pkg/apis/config.FeatureFlags", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource"},
+	}
+}
+
+func schema_pkg_apis_pipeline_v1beta1_RefSource(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "RefSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"uri": {
+						SchemaProps: spec.SchemaProps{
+							Description: "URI indicates the identity of the source of the build definition. Example: \"https://github.com/tektoncd/catalog\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"digest": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+					"entryPoint": {
+						SchemaProps: spec.SchemaProps{
+							Description: "EntryPoint identifies the entry point into the build. This is often a path to a build definition file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
 	}
 }
 
@@ -5372,16 +5422,22 @@ func schema_pkg_apis_resolution_v1beta1_ResolutionRequestStatus(ref common.Refer
 					},
 					"source": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Source is the source reference of the remote data that records the url, digest and the entrypoint.",
+							Description: "Deprecated: Use RefSource instead",
 							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource"),
 						},
 					},
+					"refSource": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RefSource is the source reference of the remote data that records the url, digest and the entrypoint.",
+							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource"),
+						},
+					},
 				},
-				Required: []string{"data", "source"},
+				Required: []string{"data", "source", "refSource"},
 			},
 		},
 		Dependencies: []string{
-			"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource", "knative.dev/pkg/apis.Condition"},
+			"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource", "knative.dev/pkg/apis.Condition"},
 	}
 }
 
@@ -5402,15 +5458,21 @@ func schema_pkg_apis_resolution_v1beta1_ResolutionRequestStatusFields(ref common
 					},
 					"source": {
 						SchemaProps: spec.SchemaProps{
-							Description: "Source is the source reference of the remote data that records the url, digest and the entrypoint.",
+							Description: "Deprecated: Use RefSource instead",
 							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource"),
 						},
 					},
+					"refSource": {
+						SchemaProps: spec.SchemaProps{
+							Description: "RefSource is the source reference of the remote data that records the url, digest and the entrypoint.",
+							Ref:         ref("github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource"),
+						},
+					},
 				},
-				Required: []string{"data", "source"},
+				Required: []string{"data", "source", "refSource"},
 			},
 		},
 		Dependencies: []string{
-			"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource"},
+			"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.ConfigSource", "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1.RefSource"},
 	}
 }
diff --git a/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go b/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go
index 72a5a452f5d..49e11c02d93 100644
--- a/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go
+++ b/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go
@@ -306,7 +306,7 @@ func TestPipelineRunConversion(t *testing.T) {
 					},
 					FinallyStartTime: &metav1.Time{Time: time.Now()},
 					Provenance: &v1beta1.Provenance{
-						ConfigSource: &v1beta1.ConfigSource{
+						RefSource: &v1beta1.RefSource{
 							URI:    "test-uri",
 							Digest: map[string]string{"sha256": "digest"},
 						},
diff --git a/pkg/apis/pipeline/v1beta1/provenance.go b/pkg/apis/pipeline/v1beta1/provenance.go
index 1cb8fca722d..3ae27eb55d7 100644
--- a/pkg/apis/pipeline/v1beta1/provenance.go
+++ b/pkg/apis/pipeline/v1beta1/provenance.go
@@ -15,37 +15,53 @@ package v1beta1
 
 import "github.com/tektoncd/pipeline/pkg/apis/config"
 
-// Provenance contains some key authenticated metadata about how a software artifact was
-// built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield
-// `ConfigSource` that identifies the source where a build config file came from.
-// In future, it can be expanded as needed to include more metadata about the build.
-// This field aims to be used to carry minimum amount of the authenticated metadata in *Run status
-// so that Tekton Chains can pick it up and record in the provenance it generates.
+// Provenance contains metadata about resources used in the TaskRun/PipelineRun
+// such as the source from where a remote build definition was fetched.
+// This field aims to carry minimum amoumt of metadata in *Run status so that
+// Tekton Chains can capture them in the provenance.
 type Provenance struct {
-	// ConfigSource identifies the source where a resource came from.
+	// Deprecated: Use RefSource instead
 	ConfigSource *ConfigSource `json:"configSource,omitempty"`
 
+	// RefSource identifies the source where a remote task/pipeline came from.
+	RefSource *RefSource `json:"refSource,omitempty"`
+
 	// FeatureFlags identifies the feature flags that were used during the task/pipeline run
 	FeatureFlags *config.FeatureFlags `json:"featureFlags,omitempty"`
 }
 
-// ConfigSource identifies the source where a resource came from.
-// This can include Git repositories, Task Bundles, file checksums, or other information
-// that allows users to identify where the resource came from and what version was used.
+// RefSource contains the information that can uniquely identify where a remote
+// built definition came from i.e. Git repositories, Tekton Bundles in OCI registry
+// and hub.
+type RefSource struct {
+	// URI indicates the identity of the source of the build definition.
+	// Example: "https://github.com/tektoncd/catalog"
+	URI string `json:"uri,omitempty"`
+
+	// Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
+	// Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
+	Digest map[string]string `json:"digest,omitempty"`
+
+	// EntryPoint identifies the entry point into the build. This is often a path to a
+	// build definition file and/or a target label within that file.
+	// Example: "task/git-clone/0.8/git-clone.yaml"
+	EntryPoint string `json:"entryPoint,omitempty"`
+}
+
+// ConfigSource contains the information that can uniquely identify where a remote
+// built definition came from i.e. Git repositories, Tekton Bundles in OCI registry
+// and hub.
 type ConfigSource struct {
-	// URI indicates the identity of the source of the config.
-	// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri
+	// URI indicates the identity of the source of the build definition.
 	// Example: "https://github.com/tektoncd/catalog"
 	URI string `json:"uri,omitempty"`
 
 	// Digest is a collection of cryptographic digests for the contents of the artifact specified by URI.
-	// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest
 	// Example: {"sha1": "f99d13e554ffcb696dee719fa85b695cb5b0f428"}
 	Digest map[string]string `json:"digest,omitempty"`
 
 	// EntryPoint identifies the entry point into the build. This is often a path to a
-	// configuration file and/or a target label within that file.
-	// Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint
+	// build definition file and/or a target label within that file.
 	// Example: "task/git-clone/0.8/git-clone.yaml"
 	EntryPoint string `json:"entryPoint,omitempty"`
 }
diff --git a/pkg/apis/pipeline/v1beta1/provenance_conversion.go b/pkg/apis/pipeline/v1beta1/provenance_conversion.go
index 4f68e9dac53..4e4afe25b5f 100644
--- a/pkg/apis/pipeline/v1beta1/provenance_conversion.go
+++ b/pkg/apis/pipeline/v1beta1/provenance_conversion.go
@@ -20,10 +20,10 @@ import (
 )
 
 func (p Provenance) convertTo(ctx context.Context, sink *v1.Provenance) {
-	if p.ConfigSource != nil {
-		new := v1.ConfigSource{}
-		p.ConfigSource.convertTo(ctx, &new)
-		sink.ConfigSource = &new
+	if p.RefSource != nil {
+		new := v1.RefSource{}
+		p.RefSource.convertTo(ctx, &new)
+		sink.RefSource = &new
 	}
 	if p.FeatureFlags != nil {
 		sink.FeatureFlags = p.FeatureFlags
@@ -31,23 +31,23 @@ func (p Provenance) convertTo(ctx context.Context, sink *v1.Provenance) {
 }
 
 func (p *Provenance) convertFrom(ctx context.Context, source v1.Provenance) {
-	if source.ConfigSource != nil {
-		new := ConfigSource{}
-		new.convertFrom(ctx, *source.ConfigSource)
-		p.ConfigSource = &new
+	if source.RefSource != nil {
+		new := RefSource{}
+		new.convertFrom(ctx, *source.RefSource)
+		p.RefSource = &new
 	}
 	if source.FeatureFlags != nil {
 		p.FeatureFlags = source.FeatureFlags
 	}
 }
 
-func (cs ConfigSource) convertTo(ctx context.Context, sink *v1.ConfigSource) {
+func (cs RefSource) convertTo(ctx context.Context, sink *v1.RefSource) {
 	sink.URI = cs.URI
 	sink.Digest = cs.Digest
 	sink.EntryPoint = cs.EntryPoint
 }
 
-func (cs *ConfigSource) convertFrom(ctx context.Context, source v1.ConfigSource) {
+func (cs *RefSource) convertFrom(ctx context.Context, source v1.RefSource) {
 	cs.URI = source.URI
 	cs.Digest = source.Digest
 	cs.EntryPoint = source.EntryPoint
diff --git a/pkg/apis/pipeline/v1beta1/swagger.json b/pkg/apis/pipeline/v1beta1/swagger.json
index 186c60518e5..610fae0aa6f 100644
--- a/pkg/apis/pipeline/v1beta1/swagger.json
+++ b/pkg/apis/pipeline/v1beta1/swagger.json
@@ -275,11 +275,11 @@
       }
     },
     "v1beta1.ConfigSource": {
-      "description": "ConfigSource identifies the source where a resource came from. This can include Git repositories, Task Bundles, file checksums, or other information that allows users to identify where the resource came from and what version was used.",
+      "description": "ConfigSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.",
       "type": "object",
       "properties": {
         "digest": {
-          "description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.digest Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+          "description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
           "type": "object",
           "additionalProperties": {
             "type": "string",
@@ -287,11 +287,11 @@
           }
         },
         "entryPoint": {
-          "description": "EntryPoint identifies the entry point into the build. This is often a path to a configuration file and/or a target label within that file. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.entryPoint Example: \"task/git-clone/0.8/git-clone.yaml\"",
+          "description": "EntryPoint identifies the entry point into the build. This is often a path to a build definition file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
           "type": "string"
         },
         "uri": {
-          "description": "URI indicates the identity of the source of the config. Definition: https://slsa.dev/provenance/v0.2#invocation.configSource.uri Example: \"https://github.com/tektoncd/catalog\"",
+          "description": "URI indicates the identity of the source of the build definition. Example: \"https://github.com/tektoncd/catalog\"",
           "type": "string"
         }
       }
@@ -1346,16 +1346,42 @@
       }
     },
     "v1beta1.Provenance": {
-      "description": "Provenance contains some key authenticated metadata about how a software artifact was built (what sources, what inputs/outputs, etc.). For now, it only contains the subfield `ConfigSource` that identifies the source where a build config file came from. In future, it can be expanded as needed to include more metadata about the build. This field aims to be used to carry minimum amount of the authenticated metadata in *Run status so that Tekton Chains can pick it up and record in the provenance it generates.",
+      "description": "Provenance contains metadata about resources used in the TaskRun/PipelineRun such as the source from where a remote build definition was fetched. This field aims to carry minimum amoumt of metadata in *Run status so that Tekton Chains can capture them in the provenance.",
       "type": "object",
       "properties": {
         "configSource": {
-          "description": "ConfigSource identifies the source where a resource came from.",
+          "description": "Deprecated: Use RefSource instead",
           "$ref": "#/definitions/v1beta1.ConfigSource"
         },
         "featureFlags": {
           "description": "FeatureFlags identifies the feature flags that were used during the task/pipeline run",
           "$ref": "#/definitions/github.com.tektoncd.pipeline.pkg.apis.config.FeatureFlags"
+        },
+        "refSource": {
+          "description": "RefSource identifies the source where a remote task/pipeline came from.",
+          "$ref": "#/definitions/v1beta1.RefSource"
+        }
+      }
+    },
+    "v1beta1.RefSource": {
+      "description": "RefSource contains the information that can uniquely identify where a remote built definition came from i.e. Git repositories, Tekton Bundles in OCI registry and hub.",
+      "type": "object",
+      "properties": {
+        "digest": {
+          "description": "Digest is a collection of cryptographic digests for the contents of the artifact specified by URI. Example: {\"sha1\": \"f99d13e554ffcb696dee719fa85b695cb5b0f428\"}",
+          "type": "object",
+          "additionalProperties": {
+            "type": "string",
+            "default": ""
+          }
+        },
+        "entryPoint": {
+          "description": "EntryPoint identifies the entry point into the build. This is often a path to a build definition file and/or a target label within that file. Example: \"task/git-clone/0.8/git-clone.yaml\"",
+          "type": "string"
+        },
+        "uri": {
+          "description": "URI indicates the identity of the source of the build definition. Example: \"https://github.com/tektoncd/catalog\"",
+          "type": "string"
         }
       }
     },
@@ -1435,7 +1461,8 @@
       "type": "object",
       "required": [
         "data",
-        "source"
+        "source",
+        "refSource"
       ],
       "properties": {
         "annotations": {
@@ -1466,8 +1493,12 @@
           "type": "integer",
           "format": "int64"
         },
+        "refSource": {
+          "description": "RefSource is the source reference of the remote data that records the url, digest and the entrypoint.",
+          "$ref": "#/definitions/v1beta1.RefSource"
+        },
         "source": {
-          "description": "Source is the source reference of the remote data that records the url, digest and the entrypoint.",
+          "description": "Deprecated: Use RefSource instead",
           "$ref": "#/definitions/v1beta1.ConfigSource"
         }
       }
@@ -1477,7 +1508,8 @@
       "type": "object",
       "required": [
         "data",
-        "source"
+        "source",
+        "refSource"
       ],
       "properties": {
         "data": {
@@ -1485,8 +1517,12 @@
           "type": "string",
           "default": ""
         },
+        "refSource": {
+          "description": "RefSource is the source reference of the remote data that records the url, digest and the entrypoint.",
+          "$ref": "#/definitions/v1beta1.RefSource"
+        },
         "source": {
-          "description": "Source is the source reference of the remote data that records the url, digest and the entrypoint.",
+          "description": "Deprecated: Use RefSource instead",
           "$ref": "#/definitions/v1beta1.ConfigSource"
         }
       }
diff --git a/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go b/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go
index bcdf6b3c6e8..5b26f4009b6 100644
--- a/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go
+++ b/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go
@@ -233,7 +233,7 @@ func TestTaskRunConversion(t *testing.T) {
 						}},
 					},
 					Provenance: &v1beta1.Provenance{
-						ConfigSource: &v1beta1.ConfigSource{
+						RefSource: &v1beta1.RefSource{
 							URI:    "test-uri",
 							Digest: map[string]string{"sha256": "digest"},
 						},
diff --git a/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go b/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go
index c3697a2a6d8..b43464cf4aa 100644
--- a/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go
+++ b/pkg/apis/pipeline/v1beta1/zz_generated.deepcopy.go
@@ -1259,6 +1259,11 @@ func (in *Provenance) DeepCopyInto(out *Provenance) {
 		*out = new(ConfigSource)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.RefSource != nil {
+		in, out := &in.RefSource, &out.RefSource
+		*out = new(RefSource)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.FeatureFlags != nil {
 		in, out := &in.FeatureFlags, &out.FeatureFlags
 		*out = new(config.FeatureFlags)
@@ -1277,6 +1282,29 @@ func (in *Provenance) DeepCopy() *Provenance {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RefSource) DeepCopyInto(out *RefSource) {
+	*out = *in
+	if in.Digest != nil {
+		in, out := &in.Digest, &out.Digest
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RefSource.
+func (in *RefSource) DeepCopy() *RefSource {
+	if in == nil {
+		return nil
+	}
+	out := new(RefSource)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolverRef) DeepCopyInto(out *ResolverRef) {
 	*out = *in
diff --git a/pkg/apis/resolution/v1alpha1/resolution_request_types.go b/pkg/apis/resolution/v1alpha1/resolution_request_types.go
index 9dd8f59f7cb..87364244112 100644
--- a/pkg/apis/resolution/v1alpha1/resolution_request_types.go
+++ b/pkg/apis/resolution/v1alpha1/resolution_request_types.go
@@ -79,9 +79,9 @@ type ResolutionRequestStatusFields struct {
 	// of the requested resource in-lined into the ResolutionRequest
 	// object.
 	Data string `json:"data"`
-	// Source is the source reference of the remote data that records where the remote
+	// RefSource is the source reference of the remote data that records where the remote
 	// file came from including the url, digest and the entrypoint.
-	Source *pipelinev1beta1.ConfigSource `json:"source"`
+	RefSource *pipelinev1beta1.RefSource `json:"refSource"`
 }
 
 // GetStatus implements KRShaped.
diff --git a/pkg/apis/resolution/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/resolution/v1alpha1/zz_generated.deepcopy.go
index 56813ebe5cb..6c431cd0cb2 100644
--- a/pkg/apis/resolution/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/resolution/v1alpha1/zz_generated.deepcopy.go
@@ -131,9 +131,9 @@ func (in *ResolutionRequestStatus) DeepCopy() *ResolutionRequestStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolutionRequestStatusFields) DeepCopyInto(out *ResolutionRequestStatusFields) {
 	*out = *in
-	if in.Source != nil {
-		in, out := &in.Source, &out.Source
-		*out = new(v1beta1.ConfigSource)
+	if in.RefSource != nil {
+		in, out := &in.RefSource, &out.RefSource
+		*out = new(v1beta1.RefSource)
 		(*in).DeepCopyInto(*out)
 	}
 	return
diff --git a/pkg/apis/resolution/v1beta1/resolution_request_types.go b/pkg/apis/resolution/v1beta1/resolution_request_types.go
index da507b70845..966cf1a30f2 100644
--- a/pkg/apis/resolution/v1beta1/resolution_request_types.go
+++ b/pkg/apis/resolution/v1beta1/resolution_request_types.go
@@ -80,9 +80,12 @@ type ResolutionRequestStatusFields struct {
 	// of the requested resource in-lined into the ResolutionRequest
 	// object.
 	Data string `json:"data"`
-	// Source is the source reference of the remote data that records the url, digest
-	// and the entrypoint.
+	// Deprecated: Use RefSource instead
 	Source *pipelinev1beta1.ConfigSource `json:"source"`
+
+	// RefSource is the source reference of the remote data that records the url, digest
+	// and the entrypoint.
+	RefSource *pipelinev1beta1.RefSource `json:"refSource"`
 }
 
 // GetStatus implements KRShaped.
diff --git a/pkg/apis/resolution/v1beta1/zz_generated.deepcopy.go b/pkg/apis/resolution/v1beta1/zz_generated.deepcopy.go
index f89a39f4f27..a0cb54ee65a 100644
--- a/pkg/apis/resolution/v1beta1/zz_generated.deepcopy.go
+++ b/pkg/apis/resolution/v1beta1/zz_generated.deepcopy.go
@@ -136,6 +136,11 @@ func (in *ResolutionRequestStatusFields) DeepCopyInto(out *ResolutionRequestStat
 		*out = new(pipelinev1beta1.ConfigSource)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.RefSource != nil {
+		in, out := &in.RefSource, &out.RefSource
+		*out = new(pipelinev1beta1.RefSource)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
diff --git a/pkg/internal/resolution/resolved_meta.go b/pkg/internal/resolution/resolved_meta.go
index e3776347155..4beb3b4e530 100644
--- a/pkg/internal/resolution/resolved_meta.go
+++ b/pkg/internal/resolution/resolved_meta.go
@@ -24,6 +24,6 @@ import (
 // ResolvedObjectMeta contains both ObjectMeta and the metadata that identifies the source where the resource came from.
 type ResolvedObjectMeta struct {
 	*metav1.ObjectMeta `json:",omitempty"`
-	// ConfigSource identifies where the spec came from.
-	ConfigSource *v1beta1.ConfigSource `json:",omitempty"`
+	// RefSource identifies where the spec came from.
+	RefSource *v1beta1.RefSource `json:",omitempty"`
 }
diff --git a/pkg/reconciler/pipelinerun/pipelinerun.go b/pkg/reconciler/pipelinerun/pipelinerun.go
index 54824f05c1a..acc8761b596 100644
--- a/pkg/reconciler/pipelinerun/pipelinerun.go
+++ b/pkg/reconciler/pipelinerun/pipelinerun.go
@@ -1256,7 +1256,7 @@ func storePipelineSpecAndMergeMeta(ctx context.Context, pr *v1beta1.PipelineRun,
 		pr.ObjectMeta.Annotations = kmap.Union(kmap.ExcludeKeys(meta.Annotations, tknreconciler.KubectlLastAppliedAnnotationKey), pr.ObjectMeta.Annotations)
 	}
 
-	// Propagate ConfigSource from remote resolution to PipelineRun Status
+	// Propagate refSource from remote resolution to PipelineRun Status
 	// This lives outside of the status.spec check to avoid the case where only the spec is available in the first reconcile and source comes in next reconcile.
 	cfg := config.FromContextOrDefaults(ctx)
 	if cfg.FeatureFlags.EnableProvenanceInStatus {
@@ -1266,8 +1266,11 @@ func storePipelineSpecAndMergeMeta(ctx context.Context, pr *v1beta1.PipelineRun,
 		// Store FeatureFlags in the Provenance.
 		pr.Status.Provenance.FeatureFlags = cfg.FeatureFlags
 
-		if meta != nil && meta.ConfigSource != nil && pr.Status.Provenance.ConfigSource == nil {
-			pr.Status.Provenance.ConfigSource = meta.ConfigSource
+		if meta != nil && meta.RefSource != nil && pr.Status.Provenance.RefSource == nil {
+			pr.Status.Provenance.RefSource = meta.RefSource
+		}
+		if meta != nil && meta.RefSource != nil && pr.Status.Provenance.ConfigSource == nil {
+			pr.Status.Provenance.ConfigSource = (*v1beta1.ConfigSource)(meta.RefSource)
 		}
 	}
 
diff --git a/pkg/reconciler/pipelinerun/pipelinerun_test.go b/pkg/reconciler/pipelinerun/pipelinerun_test.go
index 34972d45a91..b62c59563bf 100644
--- a/pkg/reconciler/pipelinerun/pipelinerun_test.go
+++ b/pkg/reconciler/pipelinerun/pipelinerun_test.go
@@ -4801,7 +4801,7 @@ status:
 	}
 }
 
-func Test_storePipelineSpecAndConfigSource(t *testing.T) {
+func Test_storePipelineSpecAndRefSource(t *testing.T) {
 	pr := parse.MustParseV1beta1PipelineRun(t, `
 metadata:
   name: test-pipeline-run-success
@@ -4810,7 +4810,7 @@ metadata:
   annotations:
     io.annotation: value
 `)
-	configSource := &v1beta1.ConfigSource{
+	refSource := &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
@@ -4826,7 +4826,8 @@ metadata:
 		PipelineRunStatusFields: v1beta1.PipelineRunStatusFields{
 			PipelineSpec: ps.DeepCopy(),
 			Provenance: &v1beta1.Provenance{
-				ConfigSource: configSource.DeepCopy(),
+				RefSource:    refSource.DeepCopy(),
+				ConfigSource: (*v1beta1.ConfigSource)(refSource.DeepCopy()),
 				FeatureFlags: &config.FeatureFlags{
 					RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
 					EnableAPIFields:                  config.DefaultEnableAPIFields,
@@ -4858,8 +4859,8 @@ metadata:
 			reconcile1Args: &args{
 				pipelineSpec: &ps,
 				resolvedObjectMeta: &resolutionutil.ResolvedObjectMeta{
-					ObjectMeta:   &pr.ObjectMeta,
-					ConfigSource: configSource.DeepCopy(),
+					ObjectMeta: &pr.ObjectMeta,
+					RefSource:  refSource.DeepCopy(),
 				},
 			},
 			reconcile2Args: &args{
@@ -4879,7 +4880,7 @@ metadata:
 			reconcile2Args: &args{
 				pipelineSpec: &ps,
 				resolvedObjectMeta: &resolutionutil.ResolvedObjectMeta{
-					ConfigSource: configSource.DeepCopy(),
+					RefSource: refSource.DeepCopy(),
 				},
 			},
 			wantPipelineRun: want,
diff --git a/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec.go b/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec.go
index 98ea54d6355..dba4c878b8b 100644
--- a/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec.go
+++ b/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec.go
@@ -27,14 +27,14 @@ import (
 )
 
 // GetPipeline is a function used to retrieve Pipelines.
-type GetPipeline func(context.Context, string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error)
+type GetPipeline func(context.Context, string) (v1beta1.PipelineObject, *v1beta1.RefSource, error)
 
 // GetPipelineData will retrieve the Pipeline metadata and Spec associated with the
 // provided PipelineRun. This can come from a reference Pipeline or from the PipelineRun's
 // metadata and embedded PipelineSpec.
 func GetPipelineData(ctx context.Context, pipelineRun *v1beta1.PipelineRun, getPipeline GetPipeline) (*resolutionutil.ResolvedObjectMeta, *v1beta1.PipelineSpec, error) {
 	pipelineMeta := metav1.ObjectMeta{}
-	var configSource *v1beta1.ConfigSource
+	var refSource *v1beta1.RefSource
 	pipelineSpec := v1beta1.PipelineSpec{}
 	switch {
 	case pipelineRun.Spec.PipelineRef != nil && pipelineRun.Spec.PipelineRef.Name != "":
@@ -45,11 +45,11 @@ func GetPipelineData(ctx context.Context, pipelineRun *v1beta1.PipelineRun, getP
 		}
 		pipelineMeta = p.PipelineMetadata()
 		pipelineSpec = p.PipelineSpec()
-		configSource = source
+		refSource = source
 	case pipelineRun.Spec.PipelineSpec != nil:
 		pipelineMeta = pipelineRun.ObjectMeta
 		pipelineSpec = *pipelineRun.Spec.PipelineSpec
-		// TODO: if we want to set source for embedded pipeline, set it here.
+		// TODO: if we want to set RefSource for embedded pipeline, set it here.
 		// https://github.com/tektoncd/pipeline/issues/5522
 	case pipelineRun.Spec.PipelineRef != nil && pipelineRun.Spec.PipelineRef.Resolver != "":
 		pipeline, source, err := getPipeline(ctx, "")
@@ -62,14 +62,14 @@ func GetPipelineData(ctx context.Context, pipelineRun *v1beta1.PipelineRun, getP
 			pipelineMeta = pipeline.PipelineMetadata()
 			pipelineSpec = pipeline.PipelineSpec()
 		}
-		configSource = source
+		refSource = source
 	default:
 		return nil, nil, fmt.Errorf("pipelineRun %s not providing PipelineRef or PipelineSpec", pipelineRun.Name)
 	}
 
 	pipelineSpec.SetDefaults(ctx)
 	return &resolutionutil.ResolvedObjectMeta{
-		ObjectMeta:   &pipelineMeta,
-		ConfigSource: configSource,
+		ObjectMeta: &pipelineMeta,
+		RefSource:  refSource,
 	}, &pipelineSpec, nil
 }
diff --git a/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec_test.go b/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec_test.go
index f88073f8204..a6c732145c0 100644
--- a/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec_test.go
+++ b/pkg/reconciler/pipelinerun/pipelinespec/pipelinespec_test.go
@@ -52,7 +52,7 @@ func TestGetPipelineSpec_Ref(t *testing.T) {
 			},
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		return pipeline, nil, nil
 	}
 	resolvedObjectMeta, pipelineSpec, err := GetPipelineData(context.Background(), pr, gt)
@@ -69,8 +69,8 @@ func TestGetPipelineSpec_Ref(t *testing.T) {
 		t.Errorf("Pipeline Spec not resolved as expected, expected referenced Pipeline spec but got: %v", pipelineSpec)
 	}
 
-	if resolvedObjectMeta.ConfigSource != nil {
-		t.Errorf("Expected resolved configsource is nil, but got %v", resolvedObjectMeta.ConfigSource)
+	if resolvedObjectMeta.RefSource != nil {
+		t.Errorf("Expected resolved refSource is nil, but got %v", resolvedObjectMeta.RefSource)
 	}
 }
 
@@ -90,7 +90,7 @@ func TestGetPipelineSpec_Embedded(t *testing.T) {
 			},
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("shouldn't be called")
 	}
 	resolvedObjectMeta, pipelineSpec, err := GetPipelineData(context.Background(), pr, gt)
@@ -107,8 +107,8 @@ func TestGetPipelineSpec_Embedded(t *testing.T) {
 		t.Errorf("Pipeline Spec not resolved as expected, expected embedded Pipeline spec but got: %v", pipelineSpec)
 	}
 
-	if resolvedObjectMeta.ConfigSource != nil {
-		t.Errorf("Expected resolved configsource is nil, but got %v", resolvedObjectMeta.ConfigSource)
+	if resolvedObjectMeta.RefSource != nil {
+		t.Errorf("Expected resolved refSource is nil, but got %v", resolvedObjectMeta.RefSource)
 	}
 }
 
@@ -118,7 +118,7 @@ func TestGetPipelineSpec_Invalid(t *testing.T) {
 			Name: "mypipelinerun",
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("shouldn't be called")
 	}
 	_, _, err := GetPipelineData(context.Background(), tr, gt)
@@ -131,25 +131,25 @@ func TestGetPipelineData_ResolutionSuccess(t *testing.T) {
 	sourceMeta := &metav1.ObjectMeta{
 		Name: "pipeline",
 	}
-	sourceConfigSource := &v1beta1.ConfigSource{
+	refSource := &v1beta1.RefSource{
 		URI:        "abc.com",
 		Digest:     map[string]string{"sha1": "a123"},
 		EntryPoint: "foo/bar",
 	}
 
 	tests := []struct {
-		name               string
-		pr                 *v1beta1.PipelineRun
-		sourceMeta         *metav1.ObjectMeta
-		sourceSpec         *v1beta1.PipelineSpec
-		sourceConfigSource *v1beta1.ConfigSource
-		expectedSpec       *v1beta1.PipelineSpec
-		defaults           map[string]string
+		name         string
+		pr           *v1beta1.PipelineRun
+		sourceMeta   *metav1.ObjectMeta
+		sourceSpec   *v1beta1.PipelineSpec
+		refSource    *v1beta1.RefSource
+		expectedSpec *v1beta1.PipelineSpec
+		defaults     map[string]string
 	}{
 		{
-			name:               "resolve remote task with taskRef Name",
-			sourceMeta:         sourceMeta,
-			sourceConfigSource: sourceConfigSource,
+			name:       "resolve remote task with taskRef Name",
+			sourceMeta: sourceMeta,
+			refSource:  refSource,
 			pr: &v1beta1.PipelineRun{
 				Spec: v1beta1.PipelineRunSpec{
 					PipelineRef: &v1beta1.PipelineRef{
@@ -179,9 +179,9 @@ func TestGetPipelineData_ResolutionSuccess(t *testing.T) {
 			},
 		},
 		{
-			name:               "resolve remote task with taskRef resolver - default resolver configured",
-			sourceMeta:         sourceMeta,
-			sourceConfigSource: sourceConfigSource,
+			name:       "resolve remote task with taskRef resolver - default resolver configured",
+			sourceMeta: sourceMeta,
+			refSource:  refSource,
 			pr: &v1beta1.PipelineRun{
 				Spec: v1beta1.PipelineRunSpec{
 					PipelineRef: &v1beta1.PipelineRef{
@@ -216,11 +216,11 @@ func TestGetPipelineData_ResolutionSuccess(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			ctx := cfgtesting.SetDefaults(context.Background(), t, tc.defaults)
-			getPipeline := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+			getPipeline := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 				return &v1beta1.Pipeline{
 					ObjectMeta: *tc.sourceMeta.DeepCopy(),
 					Spec:       *tc.sourceSpec.DeepCopy(),
-				}, tc.sourceConfigSource.DeepCopy(), nil
+				}, tc.refSource.DeepCopy(), nil
 			}
 
 			resolvedObjectMeta, resolvedPipelineSpec, err := GetPipelineData(ctx, tc.pr, getPipeline)
@@ -231,8 +231,8 @@ func TestGetPipelineData_ResolutionSuccess(t *testing.T) {
 			if sourceMeta.Name != resolvedObjectMeta.Name {
 				t.Errorf("expected name %q but resolved to %q", sourceMeta.Name, resolvedObjectMeta.Name)
 			}
-			if d := cmp.Diff(tc.sourceConfigSource, resolvedObjectMeta.ConfigSource); d != "" {
-				t.Errorf("configSource did not match: %s", diff.PrintWantGot(d))
+			if d := cmp.Diff(tc.refSource, resolvedObjectMeta.RefSource); d != "" {
+				t.Errorf("refSource did not match: %s", diff.PrintWantGot(d))
 			}
 			if d := cmp.Diff(tc.expectedSpec, resolvedPipelineSpec); d != "" {
 				t.Errorf("pipelineSpec did not match: %s", diff.PrintWantGot(d))
@@ -252,7 +252,7 @@ func TestGetPipelineSpec_Error(t *testing.T) {
 			},
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("something went wrong")
 	}
 	_, _, err := GetPipelineData(context.Background(), tr, gt)
@@ -274,7 +274,7 @@ func TestGetPipelineData_ResolutionError(t *testing.T) {
 			},
 		},
 	}
-	getPipeline := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	getPipeline := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("something went wrong")
 	}
 	ctx := context.Background()
@@ -297,7 +297,7 @@ func TestGetPipelineData_ResolvedNilPipeline(t *testing.T) {
 			},
 		},
 	}
-	getPipeline := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	getPipeline := func(ctx context.Context, n string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		return nil, nil, nil
 	}
 	ctx := context.Background()
diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref.go b/pkg/reconciler/pipelinerun/resources/pipelineref.go
index a571f43a70a..ef1891d4be6 100644
--- a/pkg/reconciler/pipelinerun/resources/pipelineref.go
+++ b/pkg/reconciler/pipelinerun/resources/pipelineref.go
@@ -46,12 +46,12 @@ func GetPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clien
 	pr := pipelineRun.Spec.PipelineRef
 	namespace := pipelineRun.Namespace
 	// if the spec is already in the status, do not try to fetch it again, just use it as source of truth.
-	// Same for the Source field in the Status.Provenance.
+	// Same for the RefSource field in the Status.Provenance.
 	if pipelineRun.Status.PipelineSpec != nil {
-		return func(_ context.Context, name string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
-			var configSource *v1beta1.ConfigSource
+		return func(_ context.Context, name string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
+			var refSource *v1beta1.RefSource
 			if pipelineRun.Status.Provenance != nil {
-				configSource = pipelineRun.Status.Provenance.ConfigSource
+				refSource = pipelineRun.Status.Provenance.RefSource
 			}
 			return &v1beta1.Pipeline{
 				ObjectMeta: metav1.ObjectMeta{
@@ -59,7 +59,7 @@ func GetPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clien
 					Namespace: namespace,
 				},
 				Spec: *pipelineRun.Status.PipelineSpec,
-			}, configSource, nil
+			}, refSource, nil
 		}
 	}
 
@@ -67,7 +67,7 @@ func GetPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clien
 	case cfg.FeatureFlags.EnableTektonOCIBundles && pr != nil && pr.Bundle != "":
 		// Return an inline function that implements GetTask by calling Resolver.Get with the specified task type and
 		// casting it to a PipelineObject.
-		return func(ctx context.Context, name string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+		return func(ctx context.Context, name string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 			// If there is a bundle url at all, construct an OCI resolver to fetch the pipeline.
 			kc, err := k8schain.New(ctx, k8s, k8schain.Options{
 				Namespace:          namespace,
@@ -80,7 +80,7 @@ func GetPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clien
 			return resolvePipeline(ctx, resolver, name)
 		}
 	case pr != nil && pr.Resolver != "" && requester != nil:
-		return func(ctx context.Context, name string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+		return func(ctx context.Context, name string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 			stringReplacements, arrayReplacements, objectReplacements := paramsFromPipelineRun(ctx, pipelineRun)
 			for k, v := range GetContextReplacements("", pipelineRun) {
 				stringReplacements[k] = v
@@ -103,7 +103,7 @@ func GetPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clien
 // verify the pipeline if there are matching verification policies
 func GetVerifiedPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekton clientset.Interface, requester remoteresource.Requester, pipelineRun *v1beta1.PipelineRun, verificationpolicies []*v1alpha1.VerificationPolicy) rprp.GetPipeline {
 	get := GetPipelineFunc(ctx, k8s, tekton, requester, pipelineRun)
-	return func(context.Context, string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+	return func(context.Context, string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 		p, s, err := get(ctx, pipelineRun.Spec.PipelineRef.Name)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to get pipeline: %w", err)
@@ -112,11 +112,11 @@ func GetVerifiedPipelineFunc(ctx context.Context, k8s kubernetes.Interface, tekt
 		if pipelineRun.Status.PipelineSpec != nil {
 			return p, s, nil
 		}
-		var source string
+		var refSource string
 		if s != nil {
-			source = s.URI
+			refSource = s.URI
 		}
-		if err := trustedresources.VerifyPipeline(ctx, p, k8s, source, verificationpolicies); err != nil {
+		if err := trustedresources.VerifyPipeline(ctx, p, k8s, refSource, verificationpolicies); err != nil {
 			return nil, nil, fmt.Errorf("GetVerifiedPipelineFunc failed: %w: %v", trustedresources.ErrResourceVerificationFailed, err)
 		}
 		return p, s, nil
@@ -131,9 +131,9 @@ type LocalPipelineRefResolver struct {
 
 // GetPipeline will resolve a Pipeline from the local cluster using a versioned Tekton client. It will
 // return an error if it can't find an appropriate Pipeline for any reason.
-// TODO: if we want to set source for in-cluster pipeline, set it here.
+// TODO: if we want to set RefSource for in-cluster pipeline, set it here.
 // https://github.com/tektoncd/pipeline/issues/5522
-func (l *LocalPipelineRefResolver) GetPipeline(ctx context.Context, name string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
+func (l *LocalPipelineRefResolver) GetPipeline(ctx context.Context, name string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
 	// If we are going to resolve this reference locally, we need a namespace scope.
 	if l.Namespace == "" {
 		return nil, nil, fmt.Errorf("Must specify namespace to resolve reference to pipeline %s", name)
@@ -150,8 +150,8 @@ func (l *LocalPipelineRefResolver) GetPipeline(ctx context.Context, name string)
 // fetch a pipeline with given name. An error is returned if the
 // resolution doesn't work or the returned data isn't a valid
 // v1beta1.PipelineObject.
-func resolvePipeline(ctx context.Context, resolver remote.Resolver, name string) (v1beta1.PipelineObject, *v1beta1.ConfigSource, error) {
-	obj, configSource, err := resolver.Get(ctx, "pipeline", name)
+func resolvePipeline(ctx context.Context, resolver remote.Resolver, name string) (v1beta1.PipelineObject, *v1beta1.RefSource, error) {
+	obj, refSource, err := resolver.Get(ctx, "pipeline", name)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -159,7 +159,7 @@ func resolvePipeline(ctx context.Context, resolver remote.Resolver, name string)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to convert obj %s into Pipeline", obj.GetObjectKind().GroupVersionKind().String())
 	}
-	return pipelineObj, configSource, nil
+	return pipelineObj, refSource, nil
 }
 
 // readRuntimeObjectAsPipeline tries to convert a generic runtime.Object
diff --git a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go
index ea7a66ef7f5..45965e90ce5 100644
--- a/pkg/reconciler/pipelinerun/resources/pipelineref_test.go
+++ b/pkg/reconciler/pipelinerun/resources/pipelineref_test.go
@@ -58,7 +58,7 @@ var (
 		},
 	}
 
-	sampleConfigSource = &v1beta1.ConfigSource{
+	sampleRefSource = &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
@@ -107,7 +107,7 @@ func TestLocalPipelineRef(t *testing.T) {
 				Tektonclient: tektonclient,
 			}
 
-			resolvedPipeline, resolvedConfigSource, err := lc.GetPipeline(ctx, tc.ref.Name)
+			resolvedPipeline, resolvedRefSource, err := lc.GetPipeline(ctx, tc.ref.Name)
 			if tc.wantErr && err == nil {
 				t.Fatal("Expected error but found nil instead")
 			} else if !tc.wantErr && err != nil {
@@ -118,8 +118,8 @@ func TestLocalPipelineRef(t *testing.T) {
 				t.Error(diff.PrintWantGot(d))
 			}
 
-			if resolvedConfigSource != nil {
-				t.Errorf("expected configsource is nil, but got %v", resolvedConfigSource)
+			if resolvedRefSource != nil {
+				t.Errorf("expected refSource is nil, but got %v", resolvedRefSource)
 			}
 		})
 	}
@@ -212,7 +212,7 @@ func TestGetPipelineFunc(t *testing.T) {
 				t.Fatalf("failed to get pipeline fn: %s", err.Error())
 			}
 
-			pipeline, configSource, err := fn(ctx, tc.ref.Name)
+			pipeline, refSource, err := fn(ctx, tc.ref.Name)
 			if err != nil {
 				t.Fatalf("failed to call pipelinefn: %s", err.Error())
 			}
@@ -221,8 +221,8 @@ func TestGetPipelineFunc(t *testing.T) {
 				t.Error(diff)
 			}
 
-			if configSource != nil {
-				t.Errorf("expected configsource is nil, but got %v", configSource)
+			if refSource != nil {
+				t.Errorf("expected refSource is nil, but got %v", refSource)
 			}
 		})
 	}
@@ -260,7 +260,7 @@ func TestGetPipelineFuncSpecAlreadyFetched(t *testing.T) {
 		Status: v1beta1.PipelineRunStatus{PipelineRunStatusFields: v1beta1.PipelineRunStatusFields{
 			PipelineSpec: &pipelineSpec,
 			Provenance: &v1beta1.Provenance{
-				ConfigSource: sampleConfigSource.DeepCopy(),
+				RefSource: sampleRefSource.DeepCopy(),
 			},
 		}},
 	}
@@ -273,7 +273,7 @@ func TestGetPipelineFuncSpecAlreadyFetched(t *testing.T) {
 	}
 
 	fn := resources.GetPipelineFunc(ctx, kubeclient, tektonclient, nil, pipelineRun)
-	actualPipeline, actualConfigSource, err := fn(ctx, name)
+	actualPipeline, actualRefSource, err := fn(ctx, name)
 	if err != nil {
 		t.Fatalf("failed to call pipelinefn: %s", err.Error())
 	}
@@ -282,8 +282,8 @@ func TestGetPipelineFuncSpecAlreadyFetched(t *testing.T) {
 		t.Error(diff)
 	}
 
-	if d := cmp.Diff(sampleConfigSource, actualConfigSource); d != "" {
-		t.Errorf("configSources did not match: %s", diff.PrintWantGot(d))
+	if d := cmp.Diff(sampleRefSource, actualRefSource); d != "" {
+		t.Errorf("refSources did not match: %s", diff.PrintWantGot(d))
 	}
 }
 
@@ -314,7 +314,7 @@ func TestGetPipelineFunc_RemoteResolution(t *testing.T) {
 	}}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			resolved := test.NewResolvedResource([]byte(tc.pipelineYAML), nil /* annotations */, sampleConfigSource.DeepCopy(), nil /* data error */)
+			resolved := test.NewResolvedResource([]byte(tc.pipelineYAML), nil /* annotations */, sampleRefSource.DeepCopy(), nil /* data error */)
 			requester := test.NewRequester(resolved, nil)
 			fn := resources.GetPipelineFunc(ctx, nil, nil, requester, &v1beta1.PipelineRun{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "default"},
@@ -324,7 +324,7 @@ func TestGetPipelineFunc_RemoteResolution(t *testing.T) {
 				},
 			})
 
-			resolvedPipeline, resolvedConfigSource, err := fn(ctx, pipelineRef.Name)
+			resolvedPipeline, resolvedRefSource, err := fn(ctx, pipelineRef.Name)
 			if err != nil {
 				t.Fatalf("failed to call pipelinefn: %s", err.Error())
 			}
@@ -333,8 +333,8 @@ func TestGetPipelineFunc_RemoteResolution(t *testing.T) {
 				t.Error(diff)
 			}
 
-			if d := cmp.Diff(sampleConfigSource, resolvedConfigSource); d != "" {
-				t.Errorf("configsource did not match: %s", diff.PrintWantGot(d))
+			if d := cmp.Diff(sampleRefSource, resolvedRefSource); d != "" {
+				t.Errorf("refSources did not match: %s", diff.PrintWantGot(d))
 			}
 		})
 	}
@@ -363,7 +363,7 @@ func TestGetPipelineFunc_RemoteResolution_ReplacedParams(t *testing.T) {
 		pipelineYAMLString,
 	}, "\n")
 
-	resolved := test.NewResolvedResource([]byte(pipelineYAML), nil, sampleConfigSource.DeepCopy(), nil)
+	resolved := test.NewResolvedResource([]byte(pipelineYAML), nil, sampleRefSource.DeepCopy(), nil)
 	requester := &test.Requester{
 		ResolvedResource: resolved,
 		Params: []v1beta1.Param{{
@@ -389,7 +389,7 @@ func TestGetPipelineFunc_RemoteResolution_ReplacedParams(t *testing.T) {
 		},
 	})
 
-	resolvedPipeline, resolvedConfigSource, err := fn(ctx, pipelineRef.Name)
+	resolvedPipeline, resolvedRefSource, err := fn(ctx, pipelineRef.Name)
 	if err != nil {
 		t.Fatalf("failed to call pipelinefn: %s", err.Error())
 	}
@@ -398,8 +398,8 @@ func TestGetPipelineFunc_RemoteResolution_ReplacedParams(t *testing.T) {
 		t.Error(diff)
 	}
 
-	if d := cmp.Diff(sampleConfigSource, resolvedConfigSource); d != "" {
-		t.Errorf("configsource did not match: %s", diff.PrintWantGot(d))
+	if d := cmp.Diff(sampleRefSource, resolvedRefSource); d != "" {
+		t.Errorf("refSources did not match: %s", diff.PrintWantGot(d))
 	}
 
 	pipelineRefNotMatching := &v1beta1.PipelineRef{
@@ -472,14 +472,14 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
 	}
-	noMatchPolicySource := &v1beta1.ConfigSource{
+	noMatchPolicyRefSource := &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
 		},
 		EntryPoint: "foo/bar",
 	}
-	resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicySource, nil)
+	resolvedUnmatched := test.NewResolvedResource(unsignedPipelineBytes, nil, noMatchPolicyRefSource, nil)
 	requesterUnmatched := test.NewRequester(resolvedUnmatched, nil)
 
 	signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, signer, "signed")
@@ -490,14 +490,14 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
 	}
-	matchPolicySource := &v1beta1.ConfigSource{
+	matchPolicyRefSource := &v1beta1.RefSource{
 		URI: "	https://github.com/tektoncd/catalog.git",
 		Digest: map[string]string{
 			"sha1": "a123",
 		},
 		EntryPoint: "foo/bar",
 	}
-	resolvedMatched := test.NewResolvedResource(signedPipelineBytes, nil, matchPolicySource, nil)
+	resolvedMatched := test.NewResolvedResource(signedPipelineBytes, nil, matchPolicyRefSource, nil)
 	requesterMatched := test.NewRequester(resolvedMatched, nil)
 
 	pipelineRef := &v1beta1.PipelineRef{
@@ -525,7 +525,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 			PipelineRunStatusFields: v1beta1.PipelineRunStatusFields{
 				PipelineSpec: &signedPipeline.Spec,
 				Provenance: &v1beta1.Provenance{
-					ConfigSource: &v1beta1.ConfigSource{
+					RefSource: &v1beta1.RefSource{
 						URI:        "abc.com",
 						Digest:     map[string]string{"sha1": "a123"},
 						EntryPoint: "foo/bar",
@@ -542,7 +542,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun               v1beta1.PipelineRun
 		policies                  []*v1alpha1.VerificationPolicy
 		expected                  runtime.Object
-		expectedSource            *v1beta1.ConfigSource
+		expectedRefSource         *v1beta1.RefSource
 	}{{
 		name:                      "signed pipeline with matching policy pass verification with enforce no match policy",
 		requester:                 requesterMatched,
@@ -550,7 +550,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  vps,
 		expected:                  signedPipeline,
-		expectedSource:            matchPolicySource,
+		expectedRefSource:         matchPolicyRefSource,
 	}, {
 		name:                      "signed pipeline with matching policy pass verification with warn no match policy",
 		requester:                 requesterMatched,
@@ -558,7 +558,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  vps,
 		expected:                  signedPipeline,
-		expectedSource:            matchPolicySource,
+		expectedRefSource:         matchPolicyRefSource,
 	}, {
 		name:                      "signed pipeline with matching policy pass verification with ignore no match policy",
 		requester:                 requesterMatched,
@@ -566,7 +566,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  vps,
 		expected:                  signedPipeline,
-		expectedSource:            matchPolicySource,
+		expectedRefSource:         matchPolicyRefSource,
 	}, {
 		name:                      "warn unsigned pipeline without matching policies",
 		requester:                 requesterUnmatched,
@@ -574,7 +574,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  vps,
 		expected:                  unsignedPipeline,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "ignore unsigned pipeline without matching policies",
 		requester:                 requesterUnmatched,
@@ -582,7 +582,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  vps,
 		expected:                  unsignedPipeline,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "warn no policies",
 		requester:                 requesterUnmatched,
@@ -590,7 +590,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  []*v1alpha1.VerificationPolicy{},
 		expected:                  unsignedPipeline,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "ignore no policies",
 		requester:                 requesterUnmatched,
@@ -598,7 +598,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 		pipelinerun:               pr,
 		policies:                  []*v1alpha1.VerificationPolicy{},
 		expected:                  unsignedPipeline,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "signed pipeline in status no need to verify",
 		requester:                 requesterMatched,
@@ -612,7 +612,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 			},
 			Spec: signedPipeline.Spec,
 		},
-		expectedSource: noMatchPolicySource,
+		expectedRefSource: noMatchPolicyRefSource,
 	},
 	}
 	for _, tc := range testcases {
@@ -627,7 +627,7 @@ func TestGetVerifiedPipelineFunc_Success(t *testing.T) {
 			if d := cmp.Diff(tc.expected, resolvedPipeline); d != "" {
 				t.Errorf("resolvedPipeline did not match: %s", diff.PrintWantGot(d))
 			}
-			if d := cmp.Diff(tc.expectedSource, source); d != "" {
+			if d := cmp.Diff(tc.expectedRefSource, source); d != "" {
 				t.Errorf("configSources did not match: %s", diff.PrintWantGot(d))
 			}
 		})
@@ -644,7 +644,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
 	}
-	matchPolicySource := &v1beta1.ConfigSource{
+	matchPolicyRefSource := &v1beta1.RefSource{
 		URI: "https://github.com/tektoncd/catalog.git",
 		Digest: map[string]string{
 			"sha1": "a123",
@@ -652,7 +652,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 		EntryPoint: "foo/bar",
 	}
 
-	resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicySource, nil)
+	resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, matchPolicyRefSource, nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 
 	signedPipeline, err := test.GetSignedPipeline(unsignedPipeline, signer, "signed")
@@ -664,14 +664,14 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 		t.Fatal("fail to marshal pipeline", err)
 	}
 
-	noMatchPolicySource := &v1beta1.ConfigSource{
+	noMatchPolicyRefSource := &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
 		},
 		EntryPoint: "foo/bar",
 	}
-	resolvedUnmatched := test.NewResolvedResource(signedPipelineBytes, nil, noMatchPolicySource, nil)
+	resolvedUnmatched := test.NewResolvedResource(signedPipelineBytes, nil, noMatchPolicyRefSource, nil)
 	requesterUnmatched := test.NewRequester(resolvedUnmatched, nil)
 
 	modifiedPipeline := signedPipeline.DeepCopy()
@@ -680,7 +680,7 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal pipeline", err)
 	}
-	resolvedModified := test.NewResolvedResource(modifiedPipelineBytes, nil, matchPolicySource, nil)
+	resolvedModified := test.NewResolvedResource(modifiedPipelineBytes, nil, matchPolicyRefSource, nil)
 	requesterModified := test.NewRequester(resolvedModified, nil)
 
 	pipelineRef := &v1beta1.PipelineRef{ResolverRef: v1beta1.ResolverRef{Resolver: "git"}}
@@ -748,15 +748,15 @@ func TestGetVerifiedPipelineFunc_VerifyError(t *testing.T) {
 			}
 			fn := resources.GetVerifiedPipelineFunc(ctx, k8sclient, tektonclient, tc.requester, pr, vps)
 
-			resolvedPipeline, source, err := fn(ctx, pipelineRef.Name)
+			resolvedPipeline, resolvedRefSource, err := fn(ctx, pipelineRef.Name)
 			if !errors.Is(err, tc.expectedErr) {
 				t.Errorf("GetVerifiedPipelineFunc got %v, want %v", err, tc.expectedErr)
 			}
 			if d := cmp.Diff(resolvedPipeline, tc.expected); d != "" {
 				t.Errorf("resolvedPipeline did not match: %s", diff.PrintWantGot(d))
 			}
-			if source != nil {
-				t.Errorf("got %v, but expected source is nil", source)
+			if resolvedRefSource != nil {
+				t.Errorf("got %v, but expected refSource is nil", resolvedRefSource)
 			}
 		})
 	}
@@ -773,7 +773,7 @@ func TestGetVerifiedPipelineFunc_GetFuncError(t *testing.T) {
 		t.Fatal("fail to marshal pipeline", err)
 	}
 
-	resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleConfigSource.DeepCopy(), nil)
+	resolvedUnsigned := test.NewResolvedResource(unsignedPipelineBytes, nil, sampleRefSource.DeepCopy(), nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 	resolvedUnsigned.DataErr = fmt.Errorf("resolution error")
 
diff --git a/pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go b/pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go
index 7524c980600..7799d5add1f 100644
--- a/pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go
+++ b/pkg/reconciler/pipelinerun/resources/pipelinerunresolution.go
@@ -705,8 +705,8 @@ func resolveTask(
 			spec = *taskRun.Status.TaskSpec
 			taskName = pipelineTask.TaskRef.Name
 		} else {
-			// Following minimum status principle (TEP-0100), no need to propagate the source about PipelineTask up to PipelineRun status.
-			// Instead, the child TaskRun's status will be the place recording the source of individual task.
+			// Following minimum status principle (TEP-0100), no need to propagate the RefSource about PipelineTask up to PipelineRun status.
+			// Instead, the child TaskRun's status will be the place recording the RefSource of individual task.
 			t, _, err = getTask(ctx, pipelineTask.TaskRef.Name)
 			switch {
 			case errors.Is(err, remote.ErrRequestInProgress):
diff --git a/pkg/reconciler/pipelinerun/resources/pipelinerunresolution_test.go b/pkg/reconciler/pipelinerun/resources/pipelinerunresolution_test.go
index e69a9e5d44d..b1b14f50048 100644
--- a/pkg/reconciler/pipelinerun/resources/pipelinerunresolution_test.go
+++ b/pkg/reconciler/pipelinerun/resources/pipelinerunresolution_test.go
@@ -47,7 +47,7 @@ import (
 func nopGetRun(string) (v1beta1.RunObject, error) {
 	return nil, errors.New("GetRun should not be called")
 }
-func nopGetTask(context.Context, string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+func nopGetTask(context.Context, string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 	return nil, nil, errors.New("GetTask should not be called")
 }
 func nopGetTaskRun(string) (*v1beta1.TaskRun, error) {
@@ -1871,7 +1871,7 @@ func TestResolvePipelineRun_PipelineTaskHasNoResources(t *testing.T) {
 		TaskRef: &v1beta1.TaskRef{Name: "task"},
 	}}
 
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return task, nil, nil
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) { return &trs[0], nil }
@@ -1921,7 +1921,7 @@ func TestResolvePipelineRun_TaskDoesntExist(t *testing.T) {
 		}}}
 
 	// Return an error when the Task is retrieved, as if it didn't exist
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, kerrors.NewNotFound(v1beta1.Resource("task"), name)
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) {
@@ -1962,7 +1962,7 @@ func TestResolvePipelineRun_VerificationFailed(t *testing.T) {
 			}},
 		}}}
 
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, trustedresources.ErrResourceVerificationFailed
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) { return nil, nil }
@@ -2199,7 +2199,7 @@ func TestResolvePipeline_WhenExpressions(t *testing.T) {
 		WhenExpressions: []v1beta1.WhenExpression{ptwe1},
 	}
 
-	getTask := func(_ context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(_ context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return task, nil, nil
 	}
 	pr := v1beta1.PipelineRun{
@@ -2232,7 +2232,7 @@ func TestIsCustomTask(t *testing.T) {
 			Name: "pipelinerun",
 		},
 	}
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return task, nil, nil
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) { return nil, nil }
@@ -2999,7 +2999,7 @@ func TestIsMatrixed(t *testing.T) {
 			Name: "pipelinerun",
 		},
 	}
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return task, nil, nil
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) { return &trs[0], nil }
@@ -3133,7 +3133,7 @@ func TestResolvePipelineRunTask_WithMatrix(t *testing.T) {
 		}}},
 	}
 
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return task, nil, nil
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) { return taskRunsMap[name], nil }
@@ -3237,7 +3237,7 @@ func TestResolvePipelineRunTask_WithMatrixedCustomTask(t *testing.T) {
 			}}},
 	}}
 
-	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return task, nil, nil
 	}
 	getTaskRun := func(name string) (*v1beta1.TaskRun, error) { return &trs[0], nil }
diff --git a/pkg/reconciler/taskrun/resources/taskref.go b/pkg/reconciler/taskrun/resources/taskref.go
index b8f343725c3..95c475a8a73 100644
--- a/pkg/reconciler/taskrun/resources/taskref.go
+++ b/pkg/reconciler/taskrun/resources/taskref.go
@@ -60,12 +60,12 @@ func GetTaskKind(taskrun *v1beta1.TaskRun) v1beta1.TaskKind {
 // a remote image to fetch the  reference. It will also return the "kind" of the task being referenced.
 func GetTaskFuncFromTaskRun(ctx context.Context, k8s kubernetes.Interface, tekton clientset.Interface, requester remoteresource.Requester, taskrun *v1beta1.TaskRun, verificationpolicies []*v1alpha1.VerificationPolicy) GetTask {
 	// if the spec is already in the status, do not try to fetch it again, just use it as source of truth.
-	// Same for the Source field in the Status.Provenance.
+	// Same for the RefSource field in the Status.Provenance.
 	if taskrun.Status.TaskSpec != nil {
-		return func(_ context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
-			var configsource *v1beta1.ConfigSource
+		return func(_ context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
+			var refSource *v1beta1.RefSource
 			if taskrun.Status.Provenance != nil {
-				configsource = taskrun.Status.Provenance.ConfigSource
+				refSource = taskrun.Status.Provenance.RefSource
 			}
 			return &v1beta1.Task{
 				ObjectMeta: metav1.ObjectMeta{
@@ -73,7 +73,7 @@ func GetTaskFuncFromTaskRun(ctx context.Context, k8s kubernetes.Interface, tekto
 					Namespace: taskrun.Namespace,
 				},
 				Spec: *taskrun.Status.TaskSpec,
-			}, configsource, nil
+			}, refSource, nil
 		}
 	}
 	return GetVerifiedTaskFunc(ctx, k8s, tekton, requester, taskrun, taskrun.Spec.TaskRef, taskrun.Name, taskrun.Namespace, taskrun.Spec.ServiceAccountName, verificationpolicies)
@@ -85,16 +85,16 @@ func GetVerifiedTaskFunc(ctx context.Context, k8s kubernetes.Interface, tekton c
 	owner kmeta.OwnerRefable, taskref *v1beta1.TaskRef, trName string, namespace, saName string, verificationpolicies []*v1alpha1.VerificationPolicy) GetTask {
 	get := GetTaskFunc(ctx, k8s, tekton, requester, owner, taskref, trName, namespace, saName)
 
-	return func(context.Context, string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	return func(context.Context, string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		t, s, err := get(ctx, taskref.Name)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to get task: %w", err)
 		}
-		var source string
+		var refSource string
 		if s != nil {
-			source = s.URI
+			refSource = s.URI
 		}
-		if err := trustedresources.VerifyTask(ctx, t, k8s, source, verificationpolicies); err != nil {
+		if err := trustedresources.VerifyTask(ctx, t, k8s, refSource, verificationpolicies); err != nil {
 			return nil, nil, fmt.Errorf("GetVerifiedTaskFunc failed: %w: %v", trustedresources.ErrResourceVerificationFailed, err)
 		}
 		return t, s, nil
@@ -117,7 +117,7 @@ func GetTaskFunc(ctx context.Context, k8s kubernetes.Interface, tekton clientset
 	case cfg.FeatureFlags.EnableTektonOCIBundles && tr != nil && tr.Bundle != "":
 		// Return an inline function that implements GetTask by calling Resolver.Get with the specified task type and
 		// casting it to a TaskObject.
-		return func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+		return func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 			// If there is a bundle url at all, construct an OCI resolver to fetch the task.
 			kc, err := k8schain.New(ctx, k8s, k8schain.Options{
 				Namespace:          namespace,
@@ -133,7 +133,7 @@ func GetTaskFunc(ctx context.Context, k8s kubernetes.Interface, tekton clientset
 	case tr != nil && tr.Resolver != "" && requester != nil:
 		// Return an inline function that implements GetTask by calling Resolver.Get with the specified task type and
 		// casting it to a TaskObject.
-		return func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+		return func(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 			var replacedParams []v1beta1.Param
 			if ownerAsTR, ok := owner.(*v1beta1.TaskRun); ok {
 				stringReplacements, arrayReplacements := paramsFromTaskRun(ctx, ownerAsTR)
@@ -166,10 +166,10 @@ func GetTaskFunc(ctx context.Context, k8s kubernetes.Interface, tekton clientset
 // fetch a task with given name. An error is returned if the
 // remoteresource doesn't work or the returned data isn't a valid
 // v1beta1.TaskObject.
-func resolveTask(ctx context.Context, resolver remote.Resolver, name string, kind v1beta1.TaskKind, k8s kubernetes.Interface) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+func resolveTask(ctx context.Context, resolver remote.Resolver, name string, kind v1beta1.TaskKind, k8s kubernetes.Interface) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 	// Because the resolver will only return references with the same kind (eg ClusterTask), this will ensure we
 	// don't accidentally return a Task with the same name but different kind.
-	obj, configSource, err := resolver.Get(ctx, strings.TrimSuffix(strings.ToLower(string(kind)), "s"), name)
+	obj, refSource, err := resolver.Get(ctx, strings.TrimSuffix(strings.ToLower(string(kind)), "s"), name)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -177,7 +177,7 @@ func resolveTask(ctx context.Context, resolver remote.Resolver, name string, kin
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to convert obj %s into Task", obj.GetObjectKind().GroupVersionKind().String())
 	}
-	return taskObj, configSource, nil
+	return taskObj, refSource, nil
 }
 
 // readRuntimeObjectAsTask tries to convert a generic runtime.Object
@@ -215,9 +215,9 @@ type LocalTaskRefResolver struct {
 
 // GetTask will resolve either a Task or ClusterTask from the local cluster using a versioned Tekton client. It will
 // return an error if it can't find an appropriate Task for any reason.
-// TODO: if we want to set source for in-cluster task, set it here.
+// TODO: if we want to set RefSource for in-cluster task, set it here.
 // https://github.com/tektoncd/pipeline/issues/5522
-func (l *LocalTaskRefResolver) GetTask(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+func (l *LocalTaskRefResolver) GetTask(ctx context.Context, name string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 	if l.Kind == v1beta1.ClusterTaskKind {
 		task, err := l.Tektonclient.TektonV1beta1().ClusterTasks().Get(ctx, name, metav1.GetOptions{})
 		if err != nil {
diff --git a/pkg/reconciler/taskrun/resources/taskref_test.go b/pkg/reconciler/taskrun/resources/taskref_test.go
index a65191fc4d4..5b33b47db2a 100644
--- a/pkg/reconciler/taskrun/resources/taskref_test.go
+++ b/pkg/reconciler/taskrun/resources/taskref_test.go
@@ -76,7 +76,7 @@ var (
 			}},
 		},
 	}
-	sampleConfigSource = &v1beta1.ConfigSource{
+	sampleRefSource = &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
@@ -215,7 +215,7 @@ func TestLocalTaskRef(t *testing.T) {
 				Tektonclient: tektonclient,
 			}
 
-			task, configSource, err := lc.GetTask(ctx, tc.ref.Name)
+			task, refSource, err := lc.GetTask(ctx, tc.ref.Name)
 			if tc.wantErr && err == nil {
 				t.Fatal("Expected error but found nil instead")
 			} else if !tc.wantErr && err != nil {
@@ -226,9 +226,9 @@ func TestLocalTaskRef(t *testing.T) {
 				t.Error(diff.PrintWantGot(d))
 			}
 
-			// local cluster tasks have empty source for now. This may be changed in future.
-			if configSource != nil {
-				t.Errorf("expected configsource is nil, but got %v", configSource)
+			// local cluster tasks have empty RefSource for now. This may be changed in future.
+			if refSource != nil {
+				t.Errorf("expected refSource is nil, but got %v", refSource)
 			}
 		})
 	}
@@ -450,7 +450,7 @@ func TestGetTaskFunc(t *testing.T) {
 			}
 			fn := resources.GetTaskFunc(ctx, kubeclient, tektonclient, nil, trForFunc, tc.ref, "", "default", "default")
 
-			task, configSource, err := fn(ctx, tc.ref.Name)
+			task, refSource, err := fn(ctx, tc.ref.Name)
 			if err != nil {
 				t.Fatalf("failed to call taskfn: %s", err.Error())
 			}
@@ -459,9 +459,9 @@ func TestGetTaskFunc(t *testing.T) {
 				t.Error(diff)
 			}
 
-			// local cluster task and  bundle task have empty source for now. This may be changed in future.
-			if configSource != nil {
-				t.Errorf("expected configsource is nil, but got %v", configSource)
+			// local cluster task and  bundle task have empty RefSource for now. This may be changed in future.
+			if refSource != nil {
+				t.Errorf("expected refSource is nil, but got %v", refSource)
 			}
 		})
 	}
@@ -503,7 +503,7 @@ echo hello
 		Status: v1beta1.TaskRunStatus{TaskRunStatusFields: v1beta1.TaskRunStatusFields{
 			TaskSpec: &TaskSpec,
 			Provenance: &v1beta1.Provenance{
-				ConfigSource: sampleConfigSource.DeepCopy(),
+				RefSource: sampleRefSource.DeepCopy(),
 			},
 		}},
 	}
@@ -517,7 +517,7 @@ echo hello
 
 	fn := resources.GetTaskFuncFromTaskRun(ctx, kubeclient, tektonclient, nil, TaskRun, []*v1alpha1.VerificationPolicy{})
 
-	actualTask, actualConfigSource, err := fn(ctx, name)
+	actualTask, actualRefSource, err := fn(ctx, name)
 	if err != nil {
 		t.Fatalf("failed to call Taskfn: %s", err.Error())
 	}
@@ -526,8 +526,8 @@ echo hello
 		t.Error(diff)
 	}
 
-	if d := cmp.Diff(sampleConfigSource, actualConfigSource); d != "" {
-		t.Errorf("configSources did not match: %s", diff.PrintWantGot(d))
+	if d := cmp.Diff(sampleRefSource, actualRefSource); d != "" {
+		t.Errorf("refSources did not match: %s", diff.PrintWantGot(d))
 	}
 }
 
@@ -558,7 +558,7 @@ func TestGetTaskFunc_RemoteResolution(t *testing.T) {
 	}}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-			resolved := test.NewResolvedResource([]byte(tc.taskYAML), nil /* annotations */, sampleConfigSource.DeepCopy(), nil /* data error */)
+			resolved := test.NewResolvedResource([]byte(tc.taskYAML), nil /* annotations */, sampleRefSource.DeepCopy(), nil /* data error */)
 			requester := test.NewRequester(resolved, nil)
 			tr := &v1beta1.TaskRun{
 				ObjectMeta: metav1.ObjectMeta{Namespace: "default"},
@@ -569,13 +569,13 @@ func TestGetTaskFunc_RemoteResolution(t *testing.T) {
 			}
 			fn := resources.GetTaskFunc(ctx, nil, nil, requester, tr, tr.Spec.TaskRef, "", "default", "default")
 
-			resolvedTask, resolvedConfigSource, err := fn(ctx, taskRef.Name)
+			resolvedTask, resolvedRefSource, err := fn(ctx, taskRef.Name)
 			if err != nil {
 				t.Fatalf("failed to call pipelinefn: %s", err.Error())
 			}
 
-			if d := cmp.Diff(sampleConfigSource, resolvedConfigSource); d != "" {
-				t.Errorf("configSources did not match: %s", diff.PrintWantGot(d))
+			if d := cmp.Diff(sampleRefSource, resolvedRefSource); d != "" {
+				t.Errorf("refSources did not match: %s", diff.PrintWantGot(d))
 			}
 
 			if d := cmp.Diff(task, resolvedTask); d != "" {
@@ -608,7 +608,7 @@ func TestGetTaskFunc_RemoteResolution_ReplacedParams(t *testing.T) {
 		taskYAMLString,
 	}, "\n")
 
-	resolved := test.NewResolvedResource([]byte(taskYAML), nil, sampleConfigSource.DeepCopy(), nil)
+	resolved := test.NewResolvedResource([]byte(taskYAML), nil, sampleRefSource.DeepCopy(), nil)
 	requester := &test.Requester{
 		ResolvedResource: resolved,
 		Params: []v1beta1.Param{{
@@ -635,7 +635,7 @@ func TestGetTaskFunc_RemoteResolution_ReplacedParams(t *testing.T) {
 	}
 	fn := resources.GetTaskFunc(ctx, nil, nil, requester, tr, tr.Spec.TaskRef, "", "default", "default")
 
-	resolvedTask, resolvedConfigSource, err := fn(ctx, taskRef.Name)
+	resolvedTask, resolvedRefSource, err := fn(ctx, taskRef.Name)
 	if err != nil {
 		t.Fatalf("failed to call pipelinefn: %s", err.Error())
 	}
@@ -644,8 +644,8 @@ func TestGetTaskFunc_RemoteResolution_ReplacedParams(t *testing.T) {
 		t.Errorf("resolvedTask did not match: %s", diff.PrintWantGot(d))
 	}
 
-	if d := cmp.Diff(sampleConfigSource, resolvedConfigSource); d != "" {
-		t.Errorf("configSources did not match: %s", diff.PrintWantGot(d))
+	if d := cmp.Diff(sampleRefSource, resolvedRefSource); d != "" {
+		t.Errorf("refSources did not match: %s", diff.PrintWantGot(d))
 	}
 
 	taskRefNotMatching := &v1beta1.TaskRef{
@@ -720,14 +720,14 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
-	noMatchPolicySource := &v1beta1.ConfigSource{
+	noMatchPolicyRefSource := &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
 		},
 		EntryPoint: "foo/bar",
 	}
-	resolvedUnmatched := test.NewResolvedResource(unsignedTaskBytes, nil, noMatchPolicySource, nil)
+	resolvedUnmatched := test.NewResolvedResource(unsignedTaskBytes, nil, noMatchPolicyRefSource, nil)
 	requesterUnmatched := test.NewRequester(resolvedUnmatched, nil)
 
 	signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed")
@@ -738,14 +738,14 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
-	matchPolicySource := &v1beta1.ConfigSource{
+	matchPolicyRefSource := &v1beta1.RefSource{
 		URI: "	https://github.com/tektoncd/catalog.git",
 		Digest: map[string]string{
 			"sha1": "a123",
 		},
 		EntryPoint: "foo/bar",
 	}
-	resolvedMatched := test.NewResolvedResource(signedTaskBytes, nil, matchPolicySource, nil)
+	resolvedMatched := test.NewResolvedResource(signedTaskBytes, nil, matchPolicyRefSource, nil)
 	requesterMatched := test.NewRequester(resolvedMatched, nil)
 
 	taskRef := &v1beta1.TaskRef{ResolverRef: v1beta1.ResolverRef{Resolver: "git"}}
@@ -756,56 +756,56 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 		verificationNoMatchPolicy string
 		policies                  []*v1alpha1.VerificationPolicy
 		expected                  runtime.Object
-		expectedSource            *v1beta1.ConfigSource
+		expectedRefSource         *v1beta1.RefSource
 	}{{
 		name:                      "signed task with matching policy pass verification with enforce no match policy",
 		requester:                 requesterMatched,
 		verificationNoMatchPolicy: config.FailNoMatchPolicy,
 		policies:                  vps,
 		expected:                  signedTask,
-		expectedSource:            matchPolicySource,
+		expectedRefSource:         matchPolicyRefSource,
 	}, {
 		name:                      "signed task with matching policy pass verification with warn no match policy",
 		requester:                 requesterMatched,
 		verificationNoMatchPolicy: config.WarnNoMatchPolicy,
 		policies:                  vps,
 		expected:                  signedTask,
-		expectedSource:            matchPolicySource,
+		expectedRefSource:         matchPolicyRefSource,
 	}, {
 		name:                      "signed task with matching policy pass verification with ignore no match policy",
 		requester:                 requesterMatched,
 		verificationNoMatchPolicy: config.IgnoreNoMatchPolicy,
 		policies:                  vps,
 		expected:                  signedTask,
-		expectedSource:            matchPolicySource,
+		expectedRefSource:         matchPolicyRefSource,
 	}, {
 		name:                      "warn unsigned task without matching policies",
 		requester:                 requesterUnmatched,
 		verificationNoMatchPolicy: config.WarnNoMatchPolicy,
 		policies:                  vps,
 		expected:                  unsignedTask,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "allow unsigned task without matching policies",
 		requester:                 requesterUnmatched,
 		verificationNoMatchPolicy: config.IgnoreNoMatchPolicy,
 		policies:                  vps,
 		expected:                  unsignedTask,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "warn no policies",
 		requester:                 requesterUnmatched,
 		verificationNoMatchPolicy: config.WarnNoMatchPolicy,
 		policies:                  []*v1alpha1.VerificationPolicy{},
 		expected:                  unsignedTask,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	}, {
 		name:                      "allow no policies",
 		requester:                 requesterUnmatched,
 		verificationNoMatchPolicy: config.IgnoreNoMatchPolicy,
 		policies:                  []*v1alpha1.VerificationPolicy{},
 		expected:                  unsignedTask,
-		expectedSource:            noMatchPolicySource,
+		expectedRefSource:         noMatchPolicyRefSource,
 	},
 	}
 	for _, tc := range testcases {
@@ -820,7 +820,7 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 			}
 			fn := resources.GetVerifiedTaskFunc(ctx, k8sclient, tektonclient, tc.requester, tr, tr.Spec.TaskRef, "", "default", "default", tc.policies)
 
-			resolvedTask, source, err := fn(ctx, taskRef.Name)
+			resolvedTask, refSource, err := fn(ctx, taskRef.Name)
 
 			if err != nil {
 				t.Fatalf("Received unexpected error ( %#v )", err)
@@ -830,7 +830,7 @@ func TestGetVerifiedTaskFunc_Success(t *testing.T) {
 				t.Errorf("resolvedTask did not match: %s", diff.PrintWantGot(d))
 			}
 
-			if d := cmp.Diff(tc.expectedSource, source); d != "" {
+			if d := cmp.Diff(tc.expectedRefSource, refSource); d != "" {
 				t.Errorf("configSources did not match: %s", diff.PrintWantGot(d))
 			}
 		})
@@ -847,7 +847,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
-	matchPolicySource := &v1beta1.ConfigSource{
+	matchPolicyRefSource := &v1beta1.RefSource{
 		URI: "https://github.com/tektoncd/catalog.git",
 		Digest: map[string]string{
 			"sha1": "a123",
@@ -855,7 +855,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 		EntryPoint: "foo/bar",
 	}
 
-	resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, matchPolicySource, nil)
+	resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, matchPolicyRefSource, nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 
 	signedTask, err := test.GetSignedTask(unsignedTask, signer, "signed")
@@ -867,14 +867,14 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 		t.Fatal("fail to marshal task", err)
 	}
 
-	noMatchPolicySource := &v1beta1.ConfigSource{
+	noMatchPolicyRefSource := &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
 		},
 		EntryPoint: "foo/bar",
 	}
-	resolvedUnmatched := test.NewResolvedResource(signedTaskBytes, nil, noMatchPolicySource, nil)
+	resolvedUnmatched := test.NewResolvedResource(signedTaskBytes, nil, noMatchPolicyRefSource, nil)
 	requesterUnmatched := test.NewRequester(resolvedUnmatched, nil)
 
 	modifiedTask := signedTask.DeepCopy()
@@ -883,7 +883,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 	if err != nil {
 		t.Fatal("fail to marshal task", err)
 	}
-	resolvedModified := test.NewResolvedResource(modifiedTaskBytes, nil, matchPolicySource, nil)
+	resolvedModified := test.NewResolvedResource(modifiedTaskBytes, nil, matchPolicyRefSource, nil)
 	requesterModified := test.NewRequester(resolvedModified, nil)
 
 	taskRef := &v1beta1.TaskRef{ResolverRef: v1beta1.ResolverRef{Resolver: "git"}}
@@ -950,7 +950,7 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 			}
 			fn := resources.GetVerifiedTaskFunc(ctx, k8sclient, tektonclient, tc.requester, tr, tr.Spec.TaskRef, "", "default", "default", vps)
 
-			resolvedTask, source, err := fn(ctx, taskRef.Name)
+			resolvedTask, resolvedRefSource, err := fn(ctx, taskRef.Name)
 
 			if !errors.Is(err, tc.expectedErr) {
 				t.Errorf("GetVerifiedTaskFunc got %v but want %v", err, tc.expectedErr)
@@ -960,8 +960,8 @@ func TestGetVerifiedTaskFunc_VerifyError(t *testing.T) {
 				t.Errorf("resolvedTask did not match: %s", diff.PrintWantGot(d))
 			}
 
-			if source != nil {
-				t.Errorf("source is: %v but want is nil", source)
+			if resolvedRefSource != nil {
+				t.Errorf("refSource is: %v but want is nil", resolvedRefSource)
 			}
 		})
 	}
@@ -978,7 +978,7 @@ func TestGetVerifiedTaskFunc_GetFuncError(t *testing.T) {
 		t.Fatal("fail to marshal task", err)
 	}
 
-	resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, sampleConfigSource.DeepCopy(), nil)
+	resolvedUnsigned := test.NewResolvedResource(unsignedTaskBytes, nil, sampleRefSource.DeepCopy(), nil)
 	requesterUnsigned := test.NewRequester(resolvedUnsigned, nil)
 	resolvedUnsigned.DataErr = fmt.Errorf("resolution error")
 
diff --git a/pkg/reconciler/taskrun/resources/taskspec.go b/pkg/reconciler/taskrun/resources/taskspec.go
index 3b5653f9ff8..bd593f62426 100644
--- a/pkg/reconciler/taskrun/resources/taskspec.go
+++ b/pkg/reconciler/taskrun/resources/taskspec.go
@@ -35,7 +35,7 @@ type ResolvedTask struct {
 }
 
 // GetTask is a function used to retrieve Tasks.
-type GetTask func(context.Context, string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error)
+type GetTask func(context.Context, string) (v1beta1.TaskObject, *v1beta1.RefSource, error)
 
 // GetTaskRun is a function used to retrieve TaskRuns
 type GetTaskRun func(string) (*v1beta1.TaskRun, error)
@@ -45,7 +45,7 @@ type GetTaskRun func(string) (*v1beta1.TaskRun, error)
 // metadata and embedded TaskSpec.
 func GetTaskData(ctx context.Context, taskRun *v1beta1.TaskRun, getTask GetTask) (*resolutionutil.ResolvedObjectMeta, *v1beta1.TaskSpec, error) {
 	taskMeta := metav1.ObjectMeta{}
-	var configSource *v1beta1.ConfigSource
+	var refSource *v1beta1.RefSource
 	taskSpec := v1beta1.TaskSpec{}
 	switch {
 	case taskRun.Spec.TaskRef != nil && taskRun.Spec.TaskRef.Name != "":
@@ -56,11 +56,11 @@ func GetTaskData(ctx context.Context, taskRun *v1beta1.TaskRun, getTask GetTask)
 		}
 		taskMeta = t.TaskMetadata()
 		taskSpec = t.TaskSpec()
-		configSource = source
+		refSource = source
 	case taskRun.Spec.TaskSpec != nil:
 		taskMeta = taskRun.ObjectMeta
 		taskSpec = *taskRun.Spec.TaskSpec
-		// TODO: if we want to set source for embedded taskspec, set it here.
+		// TODO: if we want to set RefSource for embedded taskspec, set it here.
 		// https://github.com/tektoncd/pipeline/issues/5522
 	case taskRun.Spec.TaskRef != nil && taskRun.Spec.TaskRef.Resolver != "":
 		task, source, err := getTask(ctx, taskRun.Name)
@@ -73,14 +73,14 @@ func GetTaskData(ctx context.Context, taskRun *v1beta1.TaskRun, getTask GetTask)
 			taskMeta = task.TaskMetadata()
 			taskSpec = task.TaskSpec()
 		}
-		configSource = source
+		refSource = source
 	default:
 		return nil, nil, fmt.Errorf("taskRun %s not providing TaskRef or TaskSpec", taskRun.Name)
 	}
 
 	taskSpec.SetDefaults(ctx)
 	return &resolutionutil.ResolvedObjectMeta{
-		ObjectMeta:   &taskMeta,
-		ConfigSource: configSource,
+		ObjectMeta: &taskMeta,
+		RefSource:  refSource,
 	}, &taskSpec, nil
 }
diff --git a/pkg/reconciler/taskrun/resources/taskspec_test.go b/pkg/reconciler/taskrun/resources/taskspec_test.go
index 0b4e22cd1f6..e04ea7a8b9a 100644
--- a/pkg/reconciler/taskrun/resources/taskspec_test.go
+++ b/pkg/reconciler/taskrun/resources/taskspec_test.go
@@ -28,7 +28,7 @@ import (
 )
 
 var (
-	sampleConfigSource = &v1beta1.ConfigSource{
+	sampleRefSource = &v1beta1.RefSource{
 		URI: "abc.com",
 		Digest: map[string]string{
 			"sha1": "a123",
@@ -59,8 +59,8 @@ func TestGetTaskSpec_Ref(t *testing.T) {
 		},
 	}
 
-	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
-		return task, sampleConfigSource.DeepCopy(), nil
+	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
+		return task, sampleRefSource.DeepCopy(), nil
 	}
 	resolvedObjectMeta, taskSpec, err := GetTaskData(context.Background(), tr, gt)
 
@@ -75,8 +75,8 @@ func TestGetTaskSpec_Ref(t *testing.T) {
 	if len(taskSpec.Steps) != 1 || taskSpec.Steps[0].Name != "step1" {
 		t.Errorf("Task Spec not resolved as expected, expected referenced Task spec but got: %v", taskSpec)
 	}
-	if d := cmp.Diff(sampleConfigSource, resolvedObjectMeta.ConfigSource); d != "" {
-		t.Errorf("configsource did not match: %s", diff.PrintWantGot(d))
+	if d := cmp.Diff(sampleRefSource, resolvedObjectMeta.RefSource); d != "" {
+		t.Errorf("refSource did not match: %s", diff.PrintWantGot(d))
 	}
 }
 
@@ -93,7 +93,7 @@ func TestGetTaskSpec_Embedded(t *testing.T) {
 			},
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("shouldn't be called")
 	}
 	resolvedObjectMeta, taskSpec, err := GetTaskData(context.Background(), tr, gt)
@@ -110,9 +110,9 @@ func TestGetTaskSpec_Embedded(t *testing.T) {
 		t.Errorf("Task Spec not resolved as expected, expected embedded Task spec but got: %v", taskSpec)
 	}
 
-	// embedded tasks have empty source for now. This may be changed in future.
-	if resolvedObjectMeta.ConfigSource != nil {
-		t.Errorf("resolved configsource for embedded task is expected to be empty, but got %v", resolvedObjectMeta.ConfigSource)
+	// embedded tasks have empty RefSource for now. This may be changed in future.
+	if resolvedObjectMeta.RefSource != nil {
+		t.Errorf("resolved refSource for embedded task is expected to be empty, but got %v", resolvedObjectMeta.RefSource)
 	}
 }
 
@@ -122,7 +122,7 @@ func TestGetTaskSpec_Invalid(t *testing.T) {
 			Name: "mytaskrun",
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("shouldn't be called")
 	}
 	_, _, err := GetTaskData(context.Background(), tr, gt)
@@ -142,7 +142,7 @@ func TestGetTaskSpec_Error(t *testing.T) {
 			},
 		},
 	}
-	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	gt := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("something went wrong")
 	}
 	_, _, err := GetTaskData(context.Background(), tr, gt)
@@ -182,11 +182,11 @@ func TestGetTaskData_ResolutionSuccess(t *testing.T) {
 		}},
 	}
 
-	getTask := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return &v1beta1.Task{
 			ObjectMeta: *sourceMeta.DeepCopy(),
 			Spec:       *sourceSpec.DeepCopy(),
-		}, sampleConfigSource.DeepCopy(), nil
+		}, sampleRefSource.DeepCopy(), nil
 	}
 	ctx := context.Background()
 	resolvedMeta, resolvedSpec, err := GetTaskData(ctx, tr, getTask)
@@ -197,8 +197,8 @@ func TestGetTaskData_ResolutionSuccess(t *testing.T) {
 		t.Errorf("Expected name %q but resolved to %q", sourceMeta.Name, resolvedMeta.Name)
 	}
 
-	if d := cmp.Diff(sampleConfigSource, resolvedMeta.ConfigSource); d != "" {
-		t.Errorf("configsource did not match: %s", diff.PrintWantGot(d))
+	if d := cmp.Diff(sampleRefSource, resolvedMeta.RefSource); d != "" {
+		t.Errorf("refSource did not match: %s", diff.PrintWantGot(d))
 	}
 
 	if d := cmp.Diff(sourceSpec, *resolvedSpec); d != "" {
@@ -219,7 +219,7 @@ func TestGetPipelineData_ResolutionError(t *testing.T) {
 			},
 		},
 	}
-	getTask := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, errors.New("something went wrong")
 	}
 	ctx := context.Background()
@@ -242,7 +242,7 @@ func TestGetTaskData_ResolvedNilTask(t *testing.T) {
 			},
 		},
 	}
-	getTask := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.ConfigSource, error) {
+	getTask := func(ctx context.Context, n string) (v1beta1.TaskObject, *v1beta1.RefSource, error) {
 		return nil, nil, nil
 	}
 	ctx := context.Background()
diff --git a/pkg/reconciler/taskrun/taskrun.go b/pkg/reconciler/taskrun/taskrun.go
index 27828cda433..e66d3e9bfe9 100644
--- a/pkg/reconciler/taskrun/taskrun.go
+++ b/pkg/reconciler/taskrun/taskrun.go
@@ -891,10 +891,13 @@ func storeTaskSpecAndMergeMeta(ctx context.Context, tr *v1beta1.TaskRun, ts *v1b
 		}
 		// Store FeatureFlags in the Provenance.
 		tr.Status.Provenance.FeatureFlags = cfg.FeatureFlags
-		// Propagate ConfigSource from remote resolution to TaskRun Status
-		// This lives outside of the status.spec check to avoid the case where only the spec is available in the first reconcile and source comes in next reconcile.
-		if meta != nil && meta.ConfigSource != nil && tr.Status.Provenance.ConfigSource == nil {
-			tr.Status.Provenance.ConfigSource = meta.ConfigSource
+		// Propagate RefSource from remote resolution to TaskRun Status
+		// This lives outside of the status.spec check to avoid the case where only the spec is available in the first reconcile and refSource comes in next reconcile.
+		if meta != nil && meta.RefSource != nil && tr.Status.Provenance.RefSource == nil {
+			tr.Status.Provenance.RefSource = meta.RefSource
+		}
+		if meta != nil && meta.RefSource != nil && tr.Status.Provenance.ConfigSource == nil {
+			tr.Status.Provenance.ConfigSource = (*v1beta1.ConfigSource)(meta.RefSource)
 		}
 	}
 
diff --git a/pkg/reconciler/taskrun/taskrun_test.go b/pkg/reconciler/taskrun/taskrun_test.go
index bc71a4c2fb2..270c14f1ae6 100644
--- a/pkg/reconciler/taskrun/taskrun_test.go
+++ b/pkg/reconciler/taskrun/taskrun_test.go
@@ -3741,7 +3741,7 @@ status:
 	}
 }
 
-func Test_storeTaskSpecAndConfigSource(t *testing.T) {
+func Test_storeTaskSpecAndRefSource(t *testing.T) {
 	tr := parse.MustParseV1beta1TaskRun(t, `
 metadata:
   annotations:
@@ -3754,7 +3754,7 @@ spec:
     name: foo-task
 `)
 
-	configSource := &v1beta1.ConfigSource{
+	refSource := &v1beta1.RefSource{
 		URI: "https://abc.com.git",
 		Digest: map[string]string{
 			"sha1": "xyz",
@@ -3774,7 +3774,8 @@ spec:
 		TaskRunStatusFields: v1beta1.TaskRunStatusFields{
 			TaskSpec: ts.DeepCopy(),
 			Provenance: &v1beta1.Provenance{
-				ConfigSource: configSource.DeepCopy(),
+				RefSource:    refSource.DeepCopy(),
+				ConfigSource: (*v1beta1.ConfigSource)(refSource.DeepCopy()),
 				FeatureFlags: &config.FeatureFlags{
 					RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
 					EnableAPIFields:                  config.DefaultEnableAPIFields,
@@ -3802,12 +3803,12 @@ spec:
 		wantTaskRun    *v1beta1.TaskRun
 	}{
 		{
-			name: "spec and source are available in the same reconcile",
+			name: "spec and refSource are available in the same reconcile",
 			reconcile1Args: &args{
 				taskSpec: &ts,
 				resolvedObjectMeta: &resolutionutil.ResolvedObjectMeta{
-					ObjectMeta:   &tr.ObjectMeta,
-					ConfigSource: configSource.DeepCopy(),
+					ObjectMeta: &tr.ObjectMeta,
+					RefSource:  refSource.DeepCopy(),
 				},
 			},
 			reconcile2Args: &args{
@@ -3817,7 +3818,7 @@ spec:
 			wantTaskRun: want,
 		},
 		{
-			name: "spec comes in the first reconcile and source comes in next reconcile",
+			name: "spec comes in the first reconcile and refSource comes in next reconcile",
 			reconcile1Args: &args{
 				taskSpec: &ts,
 				resolvedObjectMeta: &resolutionutil.ResolvedObjectMeta{
@@ -3827,7 +3828,7 @@ spec:
 			reconcile2Args: &args{
 				taskSpec: &ts,
 				resolvedObjectMeta: &resolutionutil.ResolvedObjectMeta{
-					ConfigSource: configSource.DeepCopy(),
+					RefSource: refSource.DeepCopy(),
 				},
 			},
 			wantTaskRun: want,
diff --git a/pkg/remote/oci/resolver.go b/pkg/remote/oci/resolver.go
index d55f4a88d1f..a8c53e2019e 100644
--- a/pkg/remote/oci/resolver.go
+++ b/pkg/remote/oci/resolver.go
@@ -89,7 +89,7 @@ func (o *Resolver) List(ctx context.Context) ([]remote.ResolvedObject, error) {
 }
 
 // Get retrieves a specific object with the given Kind and name
-func (o *Resolver) Get(ctx context.Context, kind, name string) (runtime.Object, *v1beta1.ConfigSource, error) {
+func (o *Resolver) Get(ctx context.Context, kind, name string) (runtime.Object, *v1beta1.RefSource, error) {
 	timeoutCtx, cancel := context.WithTimeout(ctx, o.timeout)
 	defer cancel()
 	img, err := o.retrieveImage(timeoutCtx)
diff --git a/pkg/remote/oci/resolver_test.go b/pkg/remote/oci/resolver_test.go
index a2d3e89c6cf..d2325b59828 100644
--- a/pkg/remote/oci/resolver_test.go
+++ b/pkg/remote/oci/resolver_test.go
@@ -203,7 +203,7 @@ func TestOCIResolver(t *testing.T) {
 			}
 
 			for _, obj := range tc.objs {
-				actual, source, err := resolver.Get(context.Background(), strings.ToLower(obj.GetObjectKind().GroupVersionKind().Kind), test.GetObjectName(obj))
+				actual, refSource, err := resolver.Get(context.Background(), strings.ToLower(obj.GetObjectKind().GroupVersionKind().Kind), test.GetObjectName(obj))
 				if err != nil {
 					t.Fatalf("could not retrieve object from image: %#v", err)
 				}
@@ -212,8 +212,8 @@ func TestOCIResolver(t *testing.T) {
 					t.Error(diff.PrintWantGot(d))
 				}
 
-				if source != nil {
-					t.Errorf("expected source is nil, but received %v", source)
+				if refSource != nil {
+					t.Errorf("expected refSource is nil, but received %v", refSource)
 				}
 			}
 		})
diff --git a/pkg/remote/resolution/resolver.go b/pkg/remote/resolution/resolver.go
index 925f735864e..31f0edf1c79 100644
--- a/pkg/remote/resolution/resolver.go
+++ b/pkg/remote/resolution/resolver.go
@@ -56,7 +56,7 @@ func NewResolver(requester remoteresource.Requester, owner kmeta.OwnerRefable, r
 }
 
 // Get implements remote.Resolver.
-func (resolver *Resolver) Get(ctx context.Context, _, _ string) (runtime.Object, *v1beta1.ConfigSource, error) {
+func (resolver *Resolver) Get(ctx context.Context, _, _ string) (runtime.Object, *v1beta1.RefSource, error) {
 	resolverName := remoteresource.ResolverName(resolver.resolverName)
 	req, err := buildRequest(resolver.resolverName, resolver.owner, resolver.targetName, resolver.targetNamespace, resolver.params)
 	if err != nil {
@@ -80,7 +80,7 @@ func (resolver *Resolver) Get(ctx context.Context, _, _ string) (runtime.Object,
 	if err != nil {
 		return nil, nil, &InvalidRuntimeObjectError{original: err}
 	}
-	return obj, resolved.Source(), nil
+	return obj, resolved.RefSource(), nil
 }
 
 // List implements remote.Resolver but is unused for remote resolution.
diff --git a/pkg/remote/resolution/resolver_test.go b/pkg/remote/resolution/resolver_test.go
index 7a3be3472ec..8e900ba50ea 100644
--- a/pkg/remote/resolution/resolver_test.go
+++ b/pkg/remote/resolution/resolver_test.go
@@ -122,12 +122,12 @@ func TestGet_Errors(t *testing.T) {
 			ResolvedResource: tc.resolvedResource,
 		}
 		resolver := NewResolver(requester, owner, "git", "", "", nil)
-		obj, source, err := resolver.Get(ctx, "foo", "bar")
+		obj, refSource, err := resolver.Get(ctx, "foo", "bar")
 		if obj != nil {
 			t.Errorf("received unexpected resolved resource")
 		}
-		if source != nil {
-			t.Errorf("expected source is nil, but received %v", source)
+		if refSource != nil {
+			t.Errorf("expected refSource is nil, but received %v", refSource)
 		}
 		if !errors.Is(err, tc.expectedGetErr) {
 			t.Fatalf("expected %v received %v", tc.expectedGetErr, err)
diff --git a/pkg/remote/resolver.go b/pkg/remote/resolver.go
index 8f706f565f8..4bfa14cf34c 100644
--- a/pkg/remote/resolver.go
+++ b/pkg/remote/resolver.go
@@ -29,8 +29,8 @@ type ResolvedObject struct {
 
 // Resolver defines a generic API to retrieve Tekton resources from remote locations. It allows 2 principle operations:
 //   - List:     retrieve a flat set of Tekton objects in this remote location
-//   - Get:      retrieves a specific object with the given Kind and name, and the source identifying where the resource came from.
+//   - Get:      retrieves a specific object with the given Kind and name, and the refSource identifying where the resource came from.
 type Resolver interface {
 	List(ctx context.Context) ([]ResolvedObject, error)
-	Get(ctx context.Context, kind, name string) (runtime.Object, *v1beta1.ConfigSource, error)
+	Get(ctx context.Context, kind, name string) (runtime.Object, *v1beta1.RefSource, error)
 }
diff --git a/pkg/resolution/resolver/bundle/bundle.go b/pkg/resolution/resolver/bundle/bundle.go
index ea23787587a..556ccb30f4a 100644
--- a/pkg/resolution/resolver/bundle/bundle.go
+++ b/pkg/resolution/resolver/bundle/bundle.go
@@ -47,7 +47,7 @@ type RequestOptions struct {
 type ResolvedResource struct {
 	data        []byte
 	annotations map[string]string
-	source      *pipelinev1beta1.ConfigSource
+	source      *pipelinev1beta1.RefSource
 }
 
 var _ framework.ResolvedResource = &ResolvedResource{}
@@ -63,9 +63,9 @@ func (br *ResolvedResource) Annotations() map[string]string {
 	return br.annotations
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint.
-func (br *ResolvedResource) Source() *pipelinev1beta1.ConfigSource {
+func (br *ResolvedResource) RefSource() *pipelinev1beta1.RefSource {
 	return br.source
 }
 
@@ -122,7 +122,7 @@ func GetEntry(ctx context.Context, keychain authn.Keychain, opts RequestOptions)
 					ResolverAnnotationName:       lName,
 					ResolverAnnotationAPIVersion: l.Annotations[BundleAnnotationAPIVersion],
 				},
-				source: &v1beta1.ConfigSource{
+				source: &v1beta1.RefSource{
 					URI: uri,
 					Digest: map[string]string{
 						h.Algorithm: h.Hex,
diff --git a/pkg/resolution/resolver/bundle/resolver_test.go b/pkg/resolution/resolver/bundle/resolver_test.go
index b950dd27872..4410f5f6b51 100644
--- a/pkg/resolution/resolver/bundle/resolver_test.go
+++ b/pkg/resolution/resolver/bundle/resolver_test.go
@@ -441,13 +441,14 @@ func TestResolve(t *testing.T) {
 					expectedStatus.Annotations[ResolverAnnotationName] = tc.args.name
 					expectedStatus.Annotations[ResolverAnnotationAPIVersion] = "v1beta1"
 
-					expectedStatus.Source = &pipelinev1beta1.ConfigSource{
+					expectedStatus.RefSource = &pipelinev1beta1.RefSource{
 						URI: testImages[tc.imageName].uri,
 						Digest: map[string]string{
 							testImages[tc.imageName].algo: testImages[tc.imageName].hex,
 						},
 						EntryPoint: tc.args.name,
 					}
+					expectedStatus.Source = (*pipelinev1beta1.ConfigSource)(expectedStatus.RefSource)
 				} else {
 					expectedError = createError(tc.args.bundle, tc.expectedErrMessage)
 					expectedStatus.Status.Conditions[0].Message = expectedError.Error()
diff --git a/pkg/resolution/resolver/cluster/resolver.go b/pkg/resolution/resolver/cluster/resolver.go
index 634f5c83b95..08f295adc6a 100644
--- a/pkg/resolution/resolver/cluster/resolver.go
+++ b/pkg/resolution/resolver/cluster/resolver.go
@@ -207,14 +207,14 @@ func (r *ResolvedClusterResource) Annotations() map[string]string {
 	}
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint.
-func (r ResolvedClusterResource) Source() *pipelinev1beta1.ConfigSource {
+func (r ResolvedClusterResource) RefSource() *pipelinev1beta1.RefSource {
 	h := sha256.New()
 	h.Write(r.Spec)
 	sha256CheckSum := hex.EncodeToString(h.Sum(nil))
 
-	return &pipelinev1beta1.ConfigSource{
+	return &pipelinev1beta1.RefSource{
 		URI: r.Identifier,
 		Digest: map[string]string{
 			"sha256": sha256CheckSum,
diff --git a/pkg/resolution/resolver/cluster/resolver_test.go b/pkg/resolution/resolver/cluster/resolver_test.go
index 7518f8874d7..aabf1172c65 100644
--- a/pkg/resolution/resolver/cluster/resolver_test.go
+++ b/pkg/resolution/resolver/cluster/resolver_test.go
@@ -263,6 +263,12 @@ func TestResolve(t *testing.T) {
 				Status: duckv1.Status{},
 				ResolutionRequestStatusFields: v1beta1.ResolutionRequestStatusFields{
 					Data: base64.StdEncoding.Strict().EncodeToString(taskAsYAML),
+					RefSource: &pipelinev1beta1.RefSource{
+						URI: "/apis/tekton.dev/v1beta1/namespaces/task-ns/task/example-task@a123",
+						Digest: map[string]string{
+							"sha256": sha256CheckSum(taskSpec),
+						},
+					},
 					Source: &pipelinev1beta1.ConfigSource{
 						URI: "/apis/tekton.dev/v1beta1/namespaces/task-ns/task/example-task@a123",
 						Digest: map[string]string{
@@ -280,6 +286,12 @@ func TestResolve(t *testing.T) {
 				Status: duckv1.Status{},
 				ResolutionRequestStatusFields: v1beta1.ResolutionRequestStatusFields{
 					Data: base64.StdEncoding.Strict().EncodeToString(pipelineAsYAML),
+					RefSource: &pipelinev1beta1.RefSource{
+						URI: "/apis/tekton.dev/v1beta1/namespaces/pipeline-ns/pipeline/example-pipeline@b123",
+						Digest: map[string]string{
+							"sha256": sha256CheckSum(pipelineSpec),
+						},
+					},
 					Source: &pipelinev1beta1.ConfigSource{
 						URI: "/apis/tekton.dev/v1beta1/namespaces/pipeline-ns/pipeline/example-pipeline@b123",
 						Digest: map[string]string{
@@ -296,6 +308,12 @@ func TestResolve(t *testing.T) {
 				Status: duckv1.Status{},
 				ResolutionRequestStatusFields: v1beta1.ResolutionRequestStatusFields{
 					Data: base64.StdEncoding.Strict().EncodeToString(pipelineAsYAML),
+					RefSource: &pipelinev1beta1.RefSource{
+						URI: "/apis/tekton.dev/v1beta1/namespaces/pipeline-ns/pipeline/example-pipeline@b123",
+						Digest: map[string]string{
+							"sha256": sha256CheckSum(pipelineSpec),
+						},
+					},
 					Source: &pipelinev1beta1.ConfigSource{
 						URI: "/apis/tekton.dev/v1beta1/namespaces/pipeline-ns/pipeline/example-pipeline@b123",
 						Digest: map[string]string{
@@ -312,6 +330,12 @@ func TestResolve(t *testing.T) {
 				Status: duckv1.Status{},
 				ResolutionRequestStatusFields: v1beta1.ResolutionRequestStatusFields{
 					Data: base64.StdEncoding.Strict().EncodeToString(taskAsYAML),
+					RefSource: &pipelinev1beta1.RefSource{
+						URI: "/apis/tekton.dev/v1beta1/namespaces/task-ns/task/example-task@a123",
+						Digest: map[string]string{
+							"sha256": sha256CheckSum(taskSpec),
+						},
+					},
 					Source: &pipelinev1beta1.ConfigSource{
 						URI: "/apis/tekton.dev/v1beta1/namespaces/task-ns/task/example-task@a123",
 						Digest: map[string]string{
diff --git a/pkg/resolution/resolver/framework/fakeresolver.go b/pkg/resolution/resolver/framework/fakeresolver.go
index f8fc4cd58ad..f8e6039f22e 100644
--- a/pkg/resolution/resolver/framework/fakeresolver.go
+++ b/pkg/resolution/resolver/framework/fakeresolver.go
@@ -50,7 +50,7 @@ var _ Resolver = &FakeResolver{}
 type FakeResolvedResource struct {
 	Content       string
 	AnnotationMap map[string]string
-	ContentSource *pipelinev1beta1.ConfigSource
+	ContentSource *pipelinev1beta1.RefSource
 	ErrorWith     string
 	WaitFor       time.Duration
 }
@@ -65,9 +65,9 @@ func (f *FakeResolvedResource) Annotations() map[string]string {
 	return f.AnnotationMap
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint.
-func (f *FakeResolvedResource) Source() *pipelinev1beta1.ConfigSource {
+func (f *FakeResolvedResource) RefSource() *pipelinev1beta1.RefSource {
 	return f.ContentSource
 }
 
diff --git a/pkg/resolution/resolver/framework/interface.go b/pkg/resolution/resolver/framework/interface.go
index 979ec54bee5..7a5faa8e7dd 100644
--- a/pkg/resolution/resolver/framework/interface.go
+++ b/pkg/resolution/resolver/framework/interface.go
@@ -96,5 +96,5 @@ type TimedResolution interface {
 type ResolvedResource interface {
 	Data() []byte
 	Annotations() map[string]string
-	Source() *pipelinev1beta1.ConfigSource
+	RefSource() *pipelinev1beta1.RefSource
 }
diff --git a/pkg/resolution/resolver/framework/reconciler.go b/pkg/resolution/resolver/framework/reconciler.go
index 8f1242a3fd2..de9bedcf49a 100644
--- a/pkg/resolution/resolver/framework/reconciler.go
+++ b/pkg/resolution/resolver/framework/reconciler.go
@@ -197,6 +197,7 @@ type statusDataPatch struct {
 	Annotations map[string]string             `json:"annotations"`
 	Data        string                        `json:"data"`
 	Source      *pipelinev1beta1.ConfigSource `json:"source"`
+	RefSource   *pipelinev1beta1.RefSource    `json:"refSource"`
 }
 
 func (r *Reconciler) writeResolvedData(ctx context.Context, rr *v1beta1.ResolutionRequest, resource ResolvedResource) error {
@@ -205,7 +206,8 @@ func (r *Reconciler) writeResolvedData(ctx context.Context, rr *v1beta1.Resoluti
 		"status": {
 			Data:        encodedData,
 			Annotations: resource.Annotations(),
-			Source:      resource.Source(),
+			RefSource:   resource.RefSource(),
+			Source:      (*pipelinev1beta1.ConfigSource)(resource.RefSource()),
 		},
 	})
 	if err != nil {
diff --git a/pkg/resolution/resolver/framework/reconciler_test.go b/pkg/resolution/resolver/framework/reconciler_test.go
index f8f583ac895..89948726744 100644
--- a/pkg/resolution/resolver/framework/reconciler_test.go
+++ b/pkg/resolution/resolver/framework/reconciler_test.go
@@ -113,7 +113,7 @@ func TestReconcile(t *testing.T) {
 				"bar": {
 					Content:       "some content",
 					AnnotationMap: map[string]string{"foo": "bar"},
-					ContentSource: &pipelinev1beta1.ConfigSource{
+					ContentSource: &pipelinev1beta1.RefSource{
 						URI: "https://abc.com",
 						Digest: map[string]string{
 							"sha1": "xyz",
@@ -130,6 +130,13 @@ func TestReconcile(t *testing.T) {
 				},
 				ResolutionRequestStatusFields: v1beta1.ResolutionRequestStatusFields{
 					Data: base64.StdEncoding.Strict().EncodeToString([]byte("some content")),
+					RefSource: &pipelinev1beta1.RefSource{
+						URI: "https://abc.com",
+						Digest: map[string]string{
+							"sha1": "xyz",
+						},
+						EntryPoint: "foo/bar",
+					},
 					Source: &pipelinev1beta1.ConfigSource{
 						URI: "https://abc.com",
 						Digest: map[string]string{
diff --git a/pkg/resolution/resolver/git/resolver.go b/pkg/resolution/resolver/git/resolver.go
index 6befbfdffd3..6ea736406f5 100644
--- a/pkg/resolution/resolver/git/resolver.go
+++ b/pkg/resolution/resolver/git/resolver.go
@@ -335,10 +335,10 @@ func (r *resolvedGitResource) Annotations() map[string]string {
 	return m
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint.
-func (r *resolvedGitResource) Source() *pipelinev1beta1.ConfigSource {
-	return &pipelinev1beta1.ConfigSource{
+func (r *resolvedGitResource) RefSource() *pipelinev1beta1.RefSource {
+	return &pipelinev1beta1.RefSource{
 		URI: spdxGit(r.URL),
 		Digest: map[string]string{
 			"sha1": r.Revision,
diff --git a/pkg/resolution/resolver/git/resolver_test.go b/pkg/resolution/resolver/git/resolver_test.go
index 59b9c1a63f6..e4e895ef7a4 100644
--- a/pkg/resolution/resolver/git/resolver_test.go
+++ b/pkg/resolution/resolver/git/resolver_test.go
@@ -524,14 +524,15 @@ func TestResolve(t *testing.T) {
 						expectedStatus.Annotations[AnnotationKeyURL] = scmFakeRepoURL
 					}
 
-					// status.source
-					expectedStatus.Source = &pipelinev1beta1.ConfigSource{
+					// status.refSource
+					expectedStatus.RefSource = &pipelinev1beta1.RefSource{
 						URI: "git+" + expectedStatus.Annotations[AnnotationKeyURL],
 						Digest: map[string]string{
 							"sha1": tc.expectedCommitSHA,
 						},
 						EntryPoint: tc.args.pathInRepo,
 					}
+					expectedStatus.Source = (*pipelinev1beta1.ConfigSource)(expectedStatus.RefSource)
 				} else {
 					expectedStatus.Status.Conditions[0].Message = tc.expectedErr.Error()
 				}
diff --git a/pkg/resolution/resolver/hub/resolver.go b/pkg/resolution/resolver/hub/resolver.go
index 8de2b27ad11..eaa2fd802e3 100644
--- a/pkg/resolution/resolver/hub/resolver.go
+++ b/pkg/resolution/resolver/hub/resolver.go
@@ -172,14 +172,14 @@ func (*ResolvedHubResource) Annotations() map[string]string {
 	return nil
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint.
-func (rr *ResolvedHubResource) Source() *pipelinev1beta1.ConfigSource {
+func (rr *ResolvedHubResource) RefSource() *pipelinev1beta1.RefSource {
 	h := sha256.New()
 	h.Write(rr.Content)
 	sha256CheckSum := hex.EncodeToString(h.Sum(nil))
 
-	return &pipelinev1beta1.ConfigSource{
+	return &pipelinev1beta1.RefSource{
 		URI: rr.URL,
 		Digest: map[string]string{
 			"sha256": sha256CheckSum,
diff --git a/pkg/resolution/resource/crd_resource.go b/pkg/resolution/resource/crd_resource.go
index 54b23943e3b..328be3508ea 100644
--- a/pkg/resolution/resource/crd_resource.go
+++ b/pkg/resolution/resource/crd_resource.go
@@ -160,6 +160,6 @@ func (r readOnlyResolutionRequest) Data() ([]byte, error) {
 	return decodedBytes, nil
 }
 
-func (r readOnlyResolutionRequest) Source() *pipelinev1beta1.ConfigSource {
-	return r.req.Status.Source
+func (r readOnlyResolutionRequest) RefSource() *pipelinev1beta1.RefSource {
+	return r.req.Status.RefSource
 }
diff --git a/pkg/resolution/resource/resource.go b/pkg/resolution/resource/resource.go
index c2adeec563c..1353cb12539 100644
--- a/pkg/resolution/resource/resource.go
+++ b/pkg/resolution/resource/resource.go
@@ -59,5 +59,5 @@ type OwnedRequest interface {
 type ResolvedResource interface {
 	Data() ([]byte, error)
 	Annotations() map[string]string
-	Source() *pipelinev1beta1.ConfigSource
+	RefSource() *pipelinev1beta1.RefSource
 }
diff --git a/pkg/trustedresources/verify.go b/pkg/trustedresources/verify.go
index f64b29a9561..18fa75e64ab 100644
--- a/pkg/trustedresources/verify.go
+++ b/pkg/trustedresources/verify.go
@@ -45,9 +45,9 @@ const (
 // Skip the verification when no policies are found and trusted-resources-verification-no-match-policy is set to ignore or warn
 // Return an error when no policies are found and trusted-resources-verification-no-match-policy is set to fail,
 // or the resource fails to pass matched enforce verification policy
-// source is from ConfigSource.URI, which will be used to match policy patterns. k8s is used to fetch secret from cluster
-func VerifyTask(ctx context.Context, taskObj v1beta1.TaskObject, k8s kubernetes.Interface, source string, verificationpolicies []*v1alpha1.VerificationPolicy) error {
-	matchedPolicies, err := getMatchedPolicies(taskObj.TaskMetadata().Name, source, verificationpolicies)
+// refSourceURI is from RefSource.URI, which will be used to match policy patterns. k8s is used to fetch secret from cluster
+func VerifyTask(ctx context.Context, taskObj v1beta1.TaskObject, k8s kubernetes.Interface, refSourceURI string, verificationpolicies []*v1alpha1.VerificationPolicy) error {
+	matchedPolicies, err := getMatchedPolicies(taskObj.TaskMetadata().Name, refSourceURI, verificationpolicies)
 	if err != nil {
 		if errors.Is(err, ErrNoMatchedPolicies) {
 			switch config.GetVerificationNoMatchPolicy(ctx) {
@@ -81,9 +81,9 @@ func VerifyTask(ctx context.Context, taskObj v1beta1.TaskObject, k8s kubernetes.
 // Skip the verification when no policies are found and trusted-resources-verification-no-match-policy is set to ignore or warn
 // Return an error when no policies are found and trusted-resources-verification-no-match-policy is set to fail,
 // or the resource fails to pass matched enforce verification policy
-// source is from ConfigSource.URI, which will be used to match policy patterns. k8s is used to fetch secret from cluster
-func VerifyPipeline(ctx context.Context, pipelineObj v1beta1.PipelineObject, k8s kubernetes.Interface, source string, verificationpolicies []*v1alpha1.VerificationPolicy) error {
-	matchedPolicies, err := getMatchedPolicies(pipelineObj.PipelineMetadata().Name, source, verificationpolicies)
+// refSourceURI is from RefSource.URI, which will be used to match policy patterns. k8s is used to fetch secret from cluster
+func VerifyPipeline(ctx context.Context, pipelineObj v1beta1.PipelineObject, k8s kubernetes.Interface, refSourceURI string, verificationpolicies []*v1alpha1.VerificationPolicy) error {
+	matchedPolicies, err := getMatchedPolicies(pipelineObj.PipelineMetadata().Name, refSourceURI, verificationpolicies)
 	if err != nil {
 		if errors.Is(err, ErrNoMatchedPolicies) {
 			switch config.GetVerificationNoMatchPolicy(ctx) {
diff --git a/test/resolution.go b/test/resolution.go
index 4175bc4f1bc..98e0182de51 100644
--- a/test/resolution.go
+++ b/test/resolution.go
@@ -27,11 +27,11 @@ func NewRequester(resource resolution.ResolvedResource, err error) *Requester {
 // NewResolvedResource creates a mock resolved resource that is
 // populated with the given data and annotations or returns the given
 // error from its Data() method.
-func NewResolvedResource(data []byte, annotations map[string]string, source *pipelinev1beta1.ConfigSource, dataErr error) *ResolvedResource {
+func NewResolvedResource(data []byte, annotations map[string]string, source *pipelinev1beta1.RefSource, dataErr error) *ResolvedResource {
 	return &ResolvedResource{
 		ResolvedData:        data,
 		ResolvedAnnotations: annotations,
-		ResolvedSource:      source,
+		ResolvedRefSource:   source,
 		DataErr:             dataErr,
 	}
 }
@@ -85,8 +85,8 @@ type ResolvedResource struct {
 	DataErr error
 	// Annotations to return when resolution is complete.
 	ResolvedAnnotations map[string]string
-	// ResolvedSource to return the source reference of the remote data
-	ResolvedSource *pipelinev1beta1.ConfigSource
+	// ResolvedRefSource to return the source reference of the remote data
+	ResolvedRefSource *pipelinev1beta1.RefSource
 }
 
 // Data implements resolution.ResolvedResource and returns the mock
@@ -101,8 +101,8 @@ func (r *ResolvedResource) Annotations() map[string]string {
 	return r.ResolvedAnnotations
 }
 
-// Source is the source reference of the remote data that records where the remote
+// RefSource is the source reference of the remote data that records where the remote
 // file came from including the url, digest and the entrypoint.
-func (r *ResolvedResource) Source() *pipelinev1beta1.ConfigSource {
-	return r.ResolvedSource
+func (r *ResolvedResource) RefSource() *pipelinev1beta1.RefSource {
+	return r.ResolvedRefSource
 }
diff --git a/test/status_test.go b/test/status_test.go
index 8a7cfe75f1e..72b790d456e 100644
--- a/test/status_test.go
+++ b/test/status_test.go
@@ -122,8 +122,8 @@ spec:
 // by cluster resolver, and the in-cluster pipeline uses a remote/in-cluster task that
 // will also be resolved by cluster resolver.
 // [Expectation]: PipelineRun status should contain the provenance about the remote pipeline
-// i.e. configsource info, and the child TaskRun status should contain the provnenace
-// about the remote task i.e. configsource info .
+// i.e. refSource info, and the child TaskRun status should contain the provnenace
+// about the remote task i.e. refSource info .
 func TestProvenanceFieldInPipelineRunTaskRunStatus(t *testing.T) {
 	ctx := context.Background()
 	c, namespace := setupProvenance(ctx, t, clusterFeatureFlags, provenanceFeatureFlags)
@@ -148,6 +148,10 @@ func TestProvenanceFieldInPipelineRunTaskRunStatus(t *testing.T) {
 			URI:    fmt.Sprintf("/apis/%s/namespaces/%s/%s/%s@%s", v1beta1.SchemeGroupVersion.String(), namespace, "task", exampleTask.Name, exampleTask.UID),
 			Digest: map[string]string{"sha256": sha256CheckSum(taskSpec)},
 		},
+		RefSource: &v1beta1.RefSource{
+			URI:    fmt.Sprintf("/apis/%s/namespaces/%s/%s/%s@%s", v1beta1.SchemeGroupVersion.String(), namespace, "task", exampleTask.Name, exampleTask.UID),
+			Digest: map[string]string{"sha256": sha256CheckSum(taskSpec)},
+		},
 		FeatureFlags: &config.FeatureFlags{
 			EnableProvenanceInStatus: true,
 		},
@@ -168,6 +172,10 @@ func TestProvenanceFieldInPipelineRunTaskRunStatus(t *testing.T) {
 			URI:    fmt.Sprintf("/apis/%s/namespaces/%s/%s/%s@%s", v1beta1.SchemeGroupVersion.String(), namespace, "pipeline", examplePipeline.Name, examplePipeline.UID),
 			Digest: map[string]string{"sha256": sha256CheckSum(pipelineSpec)},
 		},
+		RefSource: &v1beta1.RefSource{
+			URI:    fmt.Sprintf("/apis/%s/namespaces/%s/%s/%s@%s", v1beta1.SchemeGroupVersion.String(), namespace, "pipeline", examplePipeline.Name, examplePipeline.UID),
+			Digest: map[string]string{"sha256": sha256CheckSum(pipelineSpec)},
+		},
 		FeatureFlags: &config.FeatureFlags{
 			EnableAPIFields: config.DefaultEnableAPIFields,
 		},