Resolve "Enqueue worker that Publish SLSA provenance statement when job ends with artifacts"
What does this MR do and why?
This merge request modifies BuildFinishedWorker to enqueue PublishProvenanceWorker if appropriate. Specifically in cases where the newly introduced feature flag slsa_provenance_statement is enabled for a project and the build has artifacts. This worker will, in a subsequent MR, call cosign and generate a provenance attestation for specific builds which explicitly enable this feature.
Additionally, this MR merges in the documentation MR, created with the assistance of @marcel.amirault.
Furthermore, this MR renames the worker file and the service file to adhere to the right SLSA naming conventions as recommended by @fcatteau .
This is achieved by:
- Creating a new flag: slsa_provenance_statement
- Modifying ee/app/workers/ee/ci/build_finished_worker.rb to invoke the worker when FF is enabled and build has artifacts. This also happens when build fails as noted in issue #547865 (closed).
- Adds pertinent unit tests.
Related to #547865 (closed).
References
- FF rollout issue #547866
- Documentation issue !194780 (closed)
- Latest ADR: https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/slsa_level_3/decisions/004_attestation_in_sidekiq/
How to set up and validate locally
BuildFinishedWorker can be ran locally with the following command:
build = Ci::Build.last
Ci::BuildFinishedWorker.perform_inline(build)At the moment this does not produce any side effects, but subsequent MRs will introduce observable database changes such as the creation of a database model.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.