Evidence collection for Releases MVC
This epic is about delivering a MVC iteration for "Evidence Collection" as part of ~"release governance" and mentioned in [CI/CD vision page](https://about.gitlab.com/2019/08/07/a-look-ahead-for-gitlab-cicd/). That content is intentionally not duplicated here to avoid drift; this issue will focus on the MVC (first iteration) goals and deliverables.
## MVC Goals
We want to be able to provide a mechanism for evidence collection within Gitlab. This includes features like having a strong integration with CI/CD to ensure an audit-able chain of custody for artifacts and traceability all the way back to the commits and issues that made up the release, confirming requirements such as test completion or other quality and security gates, appropriate are gathered in the process, and so on. Our intention is to achieve this as a natural byproduct of your way of working within GitLab and not requiring any additional effort or attention needed in order to prepare for compliance and audit tracking.
### Problem to solve
There are certain kinds of evidence which are important to collect as part of a release. This can include a wide variety of things, but typically will be:
- Evidence of all pipelines run, pipeline steps run for each, and their output
- Test scenarios run, and their results
- Compliance or security checks run, and their results
- Checksums associated with the above items to prevent tampering after the fact
It should be possible when creating a release to include these as part of the release entity, without anyone having to worry about it or lift a finger.
Secure releases should receive a secure checksum themselves (which includes thereby a secure checksum of all contained information) and should not be editable after the fact. If a release containing evidence needs to be modified, it should be deleted and regenerated.
### Target audience
Release Managers, compliance and security teams
### Further details
One interesting decision here is how this interacts with binary authorization (https://gitlab.com/gitlab-org/gitlab-ee/issues/7268). If releases end up being the artifact to sign, then this evidence collection (and signature of the release) can be the same thing as the attestation criteria.
epic