Skip to content

BUILD-9447 Generation attestation for build actions#136

Merged
SamirM-BE merged 13 commits intomasterfrom
feat/smarini/BUILD-9447
Nov 7, 2025
Merged

BUILD-9447 Generation attestation for build actions#136
SamirM-BE merged 13 commits intomasterfrom
feat/smarini/BUILD-9447

Conversation

@SamirM-BE
Copy link
Copy Markdown
Contributor

@SamirM-BE SamirM-BE commented Oct 23, 2025
edited
Loading

BUILD-9447: Introduce automatic provenance attestation across build actions

Overview

This PR introduces automatic SLSA provenance attestation generation across Gradle, Maven, NPM, Poetry, and Yarn build actions. Our goal is to cover ~80% of repositories without requiring teams to specify artifact names manually.

What's included

  • New attestation step in each build action via export_built_artifacts, using ecosystem-appropriate filesystem discovery with standard exclusions (e.g., skip sources/javadoc/tests JARs).
  • Attestation gated behind deployability checks (should_deploy) to avoid noise on non-deploy branches/PRs.
  • Maven: honor maven.deploy.skip=true to skip attestation for non-deployable modules.
  • ShellSpec tests updated to validate the new behavior with minimal setup.
  • No changes to existing build or publish behavior; this only adds attestation generation.

Assumptions (by design)

These are industry-standard conventions intended to cover most cases:

  • Gradle: artifacts live under build/libs, build/distributions, optionally build/reports (SBOMs).
  • Maven: artifacts under target/ (with support for project.build.directory).
  • Poetry: built distributions under dist/.
  • File types: we focus on the most common ones we publish today (e.g., *.jar, *.war, *.ear, *.zip, *.tar.gz, *.tar, *.json; plus Maven *.pom/*.asc, Poetry *.whl/*.tar.gz, NPM/Yarn *.tgz).

These assumptions are deliberate trade‑offs to reach broad coverage quickly. Covering 100% of relevant artifacts would require stronger standardization across repositories (folder layouts, naming conventions, and artifact naming).

Recommended path for full accuracy

Teams that need precise control should explicitly provide the artifact paths via the provenance-subject-path input, listing the exact files to attest.

Validation on 6 repositories

The approach was validated across six repositories (multiple runs for some repos):

Together, these validate Gradle, Maven, Python/Poetry, NPM, and Yarn flows, including default artifact discovery and attestation gating.

@SamirM-BE SamirM-BE force-pushed the feat/smarini/BUILD-9447 branch 23 times, most recently from 838e0de to 4102b9d Compare October 27, 2025 12:58
@SamirM-BE SamirM-BE force-pushed the feat/smarini/BUILD-9447 branch 7 times, most recently from e7f5021 to 4e608b9 Compare November 4, 2025 12:58
@SamirM-BE SamirM-BE force-pushed the feat/smarini/BUILD-9447 branch 15 times, most recently from b79abe1 to 659dd3d Compare November 6, 2025 16:33
@SamirM-BE
BUILD-9447 Add provenance attestation to all build actions
75e40aa 
- Add generate-provenance and provenance-on-pr input parameters to all 5 build actions
- Add provenance-subject-path override parameter for custom artifact paths
- Implement artifact capture for all build types:
  * Gradle: Search build/libs, distributions, publications directories
  * Maven: Search target directories
  * Poetry: Search dist directory
  * NPM: Copy .tgz to .attestation-artifacts before jf npm publish deletes it
  * Yarn: Copy .tgz to .attestation-artifacts before jf npm publish deletes it
- Add attestation step using actions/attest-build-provenance@v3.0.0
- Only generate attestations on default branch (master) or when provenance-on-pr=true
- Update example workflows (sonar-dummy-*, sonar-go-enterprise) to use new parameters
- Add attestations write permission to workflow examples
@SamirM-BE
BUILD-9447 add bash tests
fac97ba
@SamirM-BE
BUILD-9447 Update documentation
75805de
@SamirM-BE
Simplifying conditions
9341734
@SamirM-BE
add grouping
b660bad
@SamirM-BE
make find compatible for windows
027e380
@SamirM-BE
Renaming variable for clarity
11c6ea5
@SamirM-BE
refactoring
f4c1c32
@SamirM-BE
simplyfing build-maven action
51c13aa
@SamirM-BE
adapting tests
eb0a8e0
@SamirM-BE
updating readme
1f70eb9
@SamirM-BE
fix: use /bin/find for cross-platform compatibility and improve condi…
9847e91 
…tions

On Windows and Mac, /usr/bin/find is a problematic symlink
@SamirM-BE
some cleaning
301b46a
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Nov 7, 2025

SonarQube reviewer guide

Summary: Adds SLSA build provenance attestation support to all build actions (Maven, Gradle, NPM, Yarn, Poetry).

Review Focus: The automatic artifact discovery logic in each build script's export_built_artifacts() function uses filesystem patterns and may need validation. Pay attention to the conditional logic for when attestations are generated (deployment must be enabled and artifacts must be found).

Start review at: README.md. This provides comprehensive documentation of the new provenance feature, including ecosystem-specific assumptions and configuration options that are crucial for understanding how the feature works across all build actions.

💬 Please send your feedback

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
85.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomverin tomverin tomverin approved these changes

@julien-carsique-sonarsource julien-carsique-sonarsource Awaiting requested review from julien-carsique-sonarsource

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SamirM-BE @tomverin @julien-carsique-sonarsource