Enqueue worker that Publish SLSA provenance statement when job ends with artifacts
Why are we doing this work
As a part of Phase 2: Generate provenance statement in control plane , we need to enqueue a job to publish a SLSA provenance statement when a job ends with artiacts.
The worker that publishes the SLSA provenance of a given CI/CD job is implemented in #546178 (closed).
Depending on the configuration of the CI/CD job, this might happen when the job fails.
See artifacts:when
keyword.
This is a behavior change and is behind the feature flag.
Relevant links
Non-functional requirements
-
Documentation: Merge #426764 (closed) as part of this work. -
Feature flag: This is a behavior change, and it's behind a feature flag for project actor. - Name of the flag: slsa_provenance_statement
- Update rollout issue with that name: [FF] `slsa_provenance_statement` -- Roll out fe... (#547866)
-
Performance: see here for performance analysis https://gitlab.com/gitlab-org/gitlab/-/issues/556202 -
Testing: See verification steps below.
Implementation plan
-
Define and introduce feature flag. -
In the BuildFinishedWorker - add a new line to invoke "publish provenance statement worker" based on the Feature flag check -
Add unit tests
Verification steps
To be verified manually on production in a test project where the feature flag is enabled.
Edited by Sam Roque-Worcel