Create Attestations List View

Why are we doing this work

In order for SLSA attestations to be discoverable at a project level, a list view will need to be added to the UI. The scope of this issue is to build out the implementation described below.

The view should be available at the path /:project_path/attestations and should reflect the UI described in this design. It should also support pagination.

The visibility should match that of the project, so if the project is public, the attestations should be publicly visible.

This should be developed behind the slsa_provenance_statement feature flag.

Out of scope

Filtering is out of scope for this iteration.

Relevant links

Refer to the following links for more information:

SLSA Attestation UI/UX (#562795) for the designs and discussions on the UI/UX. The design is uploaded here for easier reference, but more thorough discussions are found in the mentioned issue.
Resolve "Create Attestations List API" (!205784 - merged) for the backend code related to the attestations API.
Create Attestations Download Route (#566601 - closed) for the download route.

Implementation plan

Overview

Since the pages are static, we'll implement the UI using HAML views instead of Vue. This issue will be split into two MRs:

Set up the route and provide an empty state if the project has no attestations.
- If the user doesn't have access to attestations, they shouldn't be able to access the page.
- Empty state should provide the following information: clear messaging about what attestations are, link to documentation, potentially a CTA to enable SLSA provenance generation.
Provide the table view if the project has attestations. Each attestation should have a download link and it should link to the individual view page for that attestation (can be a blank page for now, as this will be implemented in #566595).
- Make sure to show error messages when appropriate.

Details

We can supply the data via the controllers. We'll use keyset pagination for this one.

class Projects::AttestationsController < Projects::ApplicationController
  def index
    @attestations = SupplyChain::Attestation
      .for_project(@project.id)
      .order(created_at: :desc)
      .keyset_paginate(cursor: params[:cursor])
  end
end

-# Display the paginated items
- @attestations.each do |attestation|
  = render attestation

-# Render pagination controls at the bottom
= paginate @attestations, theme: 'gitlab'

Verification steps

We can add sample attestations to the project through the following script (input via rails console):

# provide an array of project IDs you want to test with
[28, 27, 26].each do |project_id|
    Feature.enable(:slsa_provenance_statement, Project.find(project_id))
    a = SupplyChain::Attestation.new do |a|
        a.subject_digest = "8db1fee4b5703808c48078a76768b155b421b210c0761cd6a5d223f4d99f1eaa"
        a.predicate_type = "https://slsa.dev/provenance/v1"
        a.file = Tempfile.new
        a.project_id = project_id
    end
    a.save
end

This attestation would be incomplete (it doesn't have the associated build data), but it should suffice for this issue.

The view should be available at the path /:project_path/attestations. If there are no attestations, we show an empty state. Otherwise, we show the table of attestations.

Edited Nov 17, 2025 by 🤖 GitLab Bot 🤖