enable in-toto attestation for job's artifacts
What does this MR do and why?
This MR adds attestation metadata for all build artifacts to enable SLSA provenance (metadata about how an artifact was produced)
Provenance is the verifiable information about software artifacts describing where, when, and how something was produced.
Limitation: the attestation is not yet digitally signed (cf. gitlab-org/gitlab-runner#29063), the signature is covered by !664 (closed).
At the end, the attestation is added to the artifacts. The provenance file is named artifacts-metadata.json
.
Related reference(s)
- https://gitlab.com/sylva-projects/sylva/-/tree/rfe-supply-chain-security?ref_type=heads
- https://docs.gitlab.com/ee/ci/runners/configure_runners.html#artifact-attestation
- https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/
Test coverage
check a job's artifact named artifacts-metadata.json
or {ARTIFACT_NAME}-metadata.json
Edited by Pierrick Seite