Modify PublishProvenanceService to persist attestation

Why are we doing this work

In Modify PublishProvenanceService so that it calls cosign, performing attestation., we modified PublishProvenanceService so that it would call the cosign executable with the right parameters. This was done in the attest_blob! method, which returns the Sigstore bundle as a string. At a high level, this bundle is a string that contains all the information to verify the binary.

This issue is about the persistence of this string, alongside other attributes of the attestation. Because Add file uploader for SLSA attestations is not yet merged, work on this ticket can start, but needs to be based on that MR.

Relevant links

Non-functional requirements

Implementation plan

  1. Modify the attest! method to, instead of returning a Tempfile, upload the file using the new uploader. As discussed in this comment, we need to avoid logging the attestation. More information in "Uploads guide: Adding new uploads".
  2. Associate the newly uploaded file with the Attestation object, and persist it by calling save on that object. Specific attributes that need to be populated are within the model itself.

Verification steps

  • Once the code is in production, enable the FF on a project that has all the required pre-requisites. Observe that the logs are correct.
  • Once the code is on staging, enable the FF on a project that has all the required pre-requisites and connect to the staging read-only console. Observe the models are correctly populated.
Edited by 🤖 GitLab Bot 🤖