Add attestations show view

Mireya Andresrequested to merge
slsa/attestations-show-view into master

What does this MR do and why?

Adds the show page for attestations, where we render the metadata for an attestation derived from its file. This is developed under the slsa_provenance_statement feature flag.

Changes include:

  • Creating the show page. This renders the attestation metadata and a link to download the attestation file.
  • Each attestation in the attestations table (/-/attestations) link to their own show page.
  • Because we need to parse the attestation file to get the metadata, I added spec/fixtures/supply_chain/parseable_attestation.json so we can test that we're parsing the file correctly.

References

Resolves Create Attestations Show View (#566595)

Screenshots or screen recordings

State Screenshot
Link added to details page from /-/attestations attestations_table
When attestation does not exist attestation_dne
When parsing the attestation metadata fails metadata_parse_error
When parsing attestation certificate fails Screenshot_2025-12-10_at_03.12.10
Rendering all attestation details Screenshot_2025-12-09_at_18.00.29 Screenshot_2025-12-09_at_18.00.45

How to set up and validate locally

  1. Enable the slsa_provenance_statement feature flag.
  2. Make sure to use a project that has run at least one pipeline, since an attestation needs to have an associated CI build. If your project doesn't have a pipeline or a CI config, make sure you have gilab-runner running, then go to Secure > Pipeline editor to create/update your .gitlab-ci.yml file. This will automatically run a pipeline for you.
  3. Create a list of attestations with the rails console for your project.
    project = Project.find_by_full_path('project-path')
    build = project.builds.last
    data = URI("https://gitlab.com/gitlab-org/software-supply-chain-security/tools/sigstore-local/-/raw/main/sample.sigstore.json").read

    25.times do |i|
      temp_file = Tempfile.new("sample_#{i + 1}.sigstore.json")
      temp_file.write(data)
      temp_file.rewind
      attestation = SupplyChain::Attestation.create!(
        project: build.project,
        build_id: build.id,
        status: ['success', 'error'].sample,
        predicate_kind: "provenance",
        predicate_type: "https://slsa.dev/provenance/v1",
        subject_digest: SecureRandom.hex(32),
        file: temp_file
      )
    end
  1. Go to /<path-to-project>/-/attestations to view the attestation list page. Verify that individual attestations now link to their details page.
  2. View/<path-to-project>/-/attestations/<attestation.iid> to view an attestation.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Mireya Andres

Merge request reports