Standardize Attestation Artifact Names and Permissions
Description
As a DevOps engineer, I need the GitLab-generated attestation file to have a predictable file name so that I can later reference the artifact programmatically to sign it or to push it to my artifact storage solution.
Proposal
- Instead of following the format of
$CI_JOB_ID-artifacts-metadata.json
, instead attestation artifact files will be named as$ARTIFACT_FILE_NAME-metadata.json
where$ARTIFACT_FILE_NAME
is the name of the artifact for which the attestation was generated. - The CI job ID will be added into the attestation that is generated as a new field of
predicate.invocation.environment.job.id
- The permissions of the generated attestation file will be set to
644
to allow non-root users access to read and sign the file.
Links to related issues and merge requests / references
Edited by Sam White