diff --git a/app/models/packages/package.rb b/app/models/packages/package.rb index b6e96f349ce50abde7efda165fb8fe5f77e4a150..d362bdf6c82e2e396d8436b9f6b0f5a9d170923c 100644 --- a/app/models/packages/package.rb +++ b/app/models/packages/package.rb @@ -250,6 +250,63 @@ def publish_creation_event def detailed_info? DETAILED_INFO_STATUSES.include?(status.to_sym) end + + def to_slsa + build = last_build_info.pipeline.builds.find_by_name('publish_artifact_with_provenance') + return false unless build + return false unless build.runner_manager_build + + runner_manager_build = build.runner_manager_build + runner = build.runner + project = build.project + file = package_files.first + + { + _type: "https://in-toto.io/Statement/v0.1", + predicateType: "https://slsa.dev/provenance/v1", + subject: [ + { + name: file.file_name, + digest: { + sha256: file.file_sha256 + } + } + ], + predicate: { + buildDefinition: { + buildType: "https://gitlab.com/gitlab-org/gitlab-runner/-/blob/#{runner_manager_build.runner_manager.revision}/PROVENANCE.md", + externalParameters: build.variables.map(&:key), + internalParameters: { + architecture: runner_manager_build.runner_manager.architecture, + executor: runner_manager_build.runner_manager.executor_type, + job: build.id, + name: runner.display_name + }, + resolvedDependencies: [ + { + uri: Gitlab::Routing.url_helpers.project_url(project), + digest: { + sha256: build.sha + } + } + ] + }, + runDetails: { + builder: { + id: Gitlab::Routing.url_helpers.group_runner_url(runner.owner, runner), + version: { + "gitlab-runner": runner_manager_build.runner_manager.revision + } + }, + metadata: { + invocationID: build.id, + startedOn: build.started_at.try(:iso8601), + finishedOn: build.finished_at.try(:iso8601) + } + } + } + } + end end Packages::Package.prepend_mod