Skip to content

feat: add a new check to map artifacts to pipelines#471

Merged
behnazh-w merged 6 commits into
stagingfrom
add-artifact-match-pipeline-check
Sep 13, 2023
Merged

feat: add a new check to map artifacts to pipelines#471
behnazh-w merged 6 commits into
stagingfrom
add-artifact-match-pipeline-check

Conversation

@behnazh-w

@behnazh-w behnazh-w commented Sep 12, 2023
edited
Loading

Copy link
Copy Markdown
Member

This PR adds a new check, mcn_infer_artifact_pipeline_1 to detect a potential pipeline from which an artifact is published.

When a verifiable provenance is found for an artifact, the result of this check can be discarded. Otherwise, we check whether a CI workflow run has automatically published the artifact.

We use several heuristics in this check:

  • The workflow run should have started before the artifact is published.
  • The workflow step that calls a deploy command should have run successfully.
  • The workflow step that calls a deploy command should have started before the artifact is published.

This check supports Maven artifacts built using Gradle or Maven and published on Maven Central only. Support for other registries and ecosystems will be added in the future.

Note: due to a limitation, we cannot specify the provenance checks as parents of this check because a check cannot have more than one parent in the current design. It would be good to skip this with a success result if the relevant provenance checks pass in the future.

@behnazh-w behnazh-w self-assigned this Sep 12, 2023
@oracle-contributor-agreement oracle-contributor-agreement Bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Sep 12, 2023
@behnazh-w behnazh-w changed the title Add artifact match pipeline check feat: add a new check to map artifacts to pipelines Sep 12, 2023
@behnazh-w behnazh-w force-pushed the add-artifact-match-pipeline-check branch 2 times, most recently from f6128e4 to 7cc62b6 Compare September 12, 2023 12:59
@behnazh-w behnazh-w marked this pull request as ready for review September 12, 2023 21:41
@behnazh-w behnazh-w requested a review from tromai as a code owner September 12, 2023 21:41
@behnazh-w
feat: add a new check to map artifacts to pipelines
e334e84 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w force-pushed the add-artifact-match-pipeline-check branch from b36f0ff to 9d628de Compare September 13, 2023 00:06
@behnazh-w
test: update expected results and add a new integration test
5cfd17a 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w force-pushed the add-artifact-match-pipeline-check branch from 9d628de to 5cfd17a Compare September 13, 2023 00:40
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/package_registry/maven_central_registry.py
Comment thread src/macaron/slsa_analyzer/package_registry/maven_central_registry.py Outdated
Comment thread src/macaron/slsa_analyzer/package_registry/maven_central_registry.py
Comment thread src/macaron/slsa_analyzer/package_registry/maven_central_registry.py
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/git_service/api_client.py
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/git_service/api_client.py Outdated
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/ci_service/github_actions.py
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/git_service/api_client.py
@behnazh-w
chore: address PR comments
7199992 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w
docs: add the check to the table and Maven Central to the registries
51ae4c8 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread src/macaron/slsa_analyzer/ci_service/github_actions.py
tromai
tromai reviewed Sep 13, 2023
View reviewed changes
Comment thread docs/source/pages/supported_technologies/index.rst Outdated
@behnazh-w
chore: address PR comment
1aabb11 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w
chore: address PR comment
a656eb7 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w behnazh-w merged commit 13206e5 into staging Sep 13, 2023
@behnazh-w behnazh-w deleted the add-artifact-match-pipeline-check branch September 21, 2023 04:06
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@behnazh-w
feat: add a new check to map artifacts to pipelines (#471)
8a37743 
This PR adds a new check, `mcn_infer_artifact_pipeline_1` to detect a 
potential pipeline from which an artifact is published.

When a verifiable provenance is found for an artifact, the result of this 
check can be discarded. Otherwise, we check whether a CI workflow 
run has automatically published the artifact.

This check supports Maven artifacts built using Gradle or Maven and 
published on Maven Central only. Support for other registries and ecosystems will be added in the future.

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@tromai tromai tromai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@behnazh-w behnazh-w

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@behnazh-w @tromai