Skip to content

Create Ci::Slsa::Attestation model

Aaron Huntsmanrequested to merge
create_slsa_attestation_model into master

What does this MR do and why?

Adds the Ci::Slsa::Attestation model and DB table. This represents a signed provenance statement for a build artifact—other statement types may be supported later. The attestation payload will be stored via direct upload (see #556027 (closed)).

#554591 (closed) #554590 (closed)

Notes

On expected workflow and rationale for storing in ci database: !198687 (comment 2655957658)

In summary, a query will be initiated by an API call such as:

https://gitlab.example.com/api/v4/projects/20/attestations/{sha_digest}

which would return a JSON bundle for the artifact represented by the digest. The API backend would query this table based on the digest, and fetch the bundle from object storage.

Data

While discussion around retention policy for these attestations is ongoing, this MR suggests adding an expire_at column to be set once this policy is in place. The goal is to offer flexibility without over-engineering a solution too early, so that we aren't blocked on this discussion.

Open questions

  • If this table is partitioned within ci and records are linked back to p_ci_job_artifacts, can we efficiently query for an attestation record with digest+project alone? !198687 (comment 2673832356)

Epic: &15862 (closed)

Edited by Aaron Huntsman

Merge request reports