Resolve "Uploader service to store SLSA provenance statements as artifacts"
What does this MR do and why?
References
Why
We are working towards SLSA L3 in &15858 . As a part of Phase 2: Generate provenance statement in control plane, we need to implement an uploader service to store the generated provenance on object storage.
What
This merge request creates a new service, Ci::Slsa::UploadStatementService, to store a provenance statement JSON file as an artifact. This is an interim mechanism that will allow us to provide SLSA attestations for our builds, as part of the &15858 epic.
The provenance statement is generated using the Ci::Slsa::ProvenanceStatement model, introduced by a previous MR. We then leverage UploadedFile and JobArtifact::CreateService in order to create a service and handle edge cases. See &17702 (comment 2564118429)
A subsequent MR will use this service from a worker to automatically populate the required artifacts.
How to set up and validate locally
- Set up GDK with a runner as described here.
- Create a sample workflow that generates an artifact. Example below.
- Observe that it has only two artifacts
Ci::Slsa::UploadStatementService.new(build).execute- Observe new artifact is created. It can be downloaded and it has the correct contents.
cat .gitlab-ci.yml
build-job:
stage: build
script:
- echo "Hello, $GITLAB_USER_LOGIN!"
- echo "Hello, $GITLAB_USER_LOGIN!" > test.txt
artifacts:
paths:
- test.txtMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #546153 (closed)