Modify PublishProvenanceService so that it calls cosign, performing attestation.

Background

This issue is a central component of Phase 3: Signing Out of Build Environment Using OIDC and Sigstore. This issue pertains to the generation of a provenance attestation, and will finally allow us to generate a provenance attestation for a build in the provenance plane.

Relevant links

• SLSA Level 3 Provenance Attestations | The GitLab Handbook
• ADR 004: Bundle cosign with GitLab Rails, perform attestation in GitLab Rails backend | The GitLab Handbook
• Draft: SLSA Workflow POC. @darbyfrey 's PoC has details regarding specific arguments that need to be used in the call.
• [FF] slsa_provenance_statement -- Roll out feature flag to publish SLSA provenance statements
• Add DB model for Attestations -
• Create database table for SLSA attestations - @ahuntsman 's MRs relating to the DB & model.
• Add cosign to CNG. Adding of cosign binary to CNG.
• Sigstore & cosign in GDK

Non-functional requirements

• Documentation: Documentation already exists https://docs.gitlab.com/ci/pipeline_security/slsa/. Once MRs are merged we should update the history to reflect the changes in 18.4.
• Feature flag: [FF] slsa_provenance_statement -- Roll out feature flag to publish SLSA provenance statements](#547866)
• Performance: We've already performed profiling for this feature, see ADR 004: Bundle cosign with GitLab Rails, perform attestation in GitLab Rails backend | The GitLab Handbook
• Testing: verification can be conducted in production by inspecting the logs & database. We should have unit tests as well as integration tests. Integration tests are likely to be achievable once Sigstore & cosign in GDK is merged.

Implementation plan

Resolution of this issue will involve:

• Modification of PublishProvenanceService so that it generates a provenance statement, and performs calls the attest-blob command of cosign, as illustrated in the SLSA Workflow POC. Particular care needs to be put in 1) sanitizing input 2) how we enable the configuration options for local development (and future customer use).
• The previous modification will cause this code to run for all tests that have artifacts. This is because flags are enabled by default in tests, and BuildFinishedWorker invokes this method when artifacts exist. Due to this, we will need to create a mock environment variable in SLSA specific tests. See further detail in the related discussion.
• Log generated provenance attestation. See #559192 (comment 2672694547)
• Add worker_has_external_dependencies! to worker.
• Unit tests (that mock calls to cosign).
• Test manually

Verification steps

This code can be verified end to end in production. Steps:

1. Create a project for which the FF is enabled. See "test-slsa-worker · GitLab" for an example
2. Create a build which produces artifacts.
3. Inspect the generated attestation in the logs, and paste output in issue as part of workflowverification