feat: cache artifact signing command with Sigstore integration #244
+1,570
−457
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add comprehensive SLSA v0.2 provenance generation using in-toto libraries - Implement keyless signing with Sigstore integration - Create structured error handling for signing operations - Add GitHub Actions context validation and extraction - Support .att file format compatible with existing verification - Replace parallel signing approach with single-step generation and signing Co-authored-by: Ona <no-reply@ona.com>
- Implement leeway plumbing sign-cache command for secure artifact signing - Add --from-manifest flag to process build manifests from previous jobs - Support parallel artifact processing with WaitGroup coordination - Create adapter pattern for RemoteCache interface compatibility - Enable separation of build and signing concerns in CI workflows - Support GitHub Actions OIDC token-based keyless signing Co-authored-by: Ona <no-reply@ona.com>
- Add github.com/sigstore/sigstore-go v1.1.2 for keyless signing - Update in-toto libraries for SLSA v0.2 provenance generation - Upgrade AWS SDK and other dependencies to latest versions - Support GitHub Actions OIDC token integration Co-authored-by: Ona <no-reply@ona.com>
- Replace TODO placeholder with actual sigstore-go v1.1.2 API calls - Add proper DSSE format for SLSA attestations (application/vnd.in-toto+json) - Implement TUF-based trusted root and signing config fetching - Add dynamic Fulcio and Rekor service selection from signing config - Remove manual OIDC token handling, let sigstore-go handle GitHub OIDC automatically - Add comprehensive GitHub Actions environment validation (GITHUB_ACTIONS=true) - Replace placeholder attestation envelope with real Sigstore bundles - Improve error messages for better debugging in CI environments Fixes critical API usage issues identified in code review. Enables production keyless signing with GitHub OIDC tokens. Co-authored-by: Ona <no-reply@ona.com>
- Use getRemoteCacheFromEnv() instead of getRemoteCache(cmd) for cleaner interface - Remove unused imports (path/filepath, time) to clean up dependencies - Improve command interface consistency with other leeway commands Co-authored-by: Ona <no-reply@ona.com>
geropl
reviewed
Oct 21, 2025
| Long: `Reads artifact paths from manifest file, generates SLSA attestations, | ||
| and uploads to remote cache with write-only credentials. | ||
|
|
||
| This command is designed for CI environments where build and signing are |
geropl
reviewed
Oct 21, 2025
geropl
reviewed
Oct 21, 2025
geropl
reviewed
Oct 21, 2025
geropl
reviewed
Oct 21, 2025
geropl
reviewed
Oct 21, 2025
geropl
reviewed
Oct 21, 2025
geropl
reviewed
Oct 21, 2025
The tempMu mutex is not required because: - runSignCache is only called once from a single location - tempFiles slice is never modified after initialization - No goroutines access the tempFiles slice - Deferred cleanup runs after wg.Wait() ensures all goroutines complete Co-authored-by: Ona <noreply@gitpod.io> Co-authored-by: Ona <no-reply@ona.com>
Replace hardcoded 0.5 with a named constant to improve code readability and maintainability. The constant is placed alongside maxConcurrency for consistency and includes a descriptive comment explaining the threshold. Co-authored-by: Ona <noreply@gitpod.io> Co-authored-by: Ona <no-reply@ona.com>
…path Replace hardcoded .github/workflows/build.yml assumption with the GITHUB_WORKFLOW_REF environment variable which contains the complete workflow reference including repository, workflow path, and git ref. This makes the code work with any workflow file name and location, not just build.yml in .github/workflows/. Co-authored-by: Ona <noreply@gitpod.io> Co-authored-by: Ona <no-reply@ona.com>
The sign-cache command runs in a separate CI job after the build completes, signing already-built artifacts. At signing time, we don't have access to the actual build start/finish times. Setting both timestamps to nil is the correct approach because: - Using signing time would be incorrect (build happened earlier) - Using artifact mtime would be misleading (download time, not build time) - SLSA spec allows these optional fields to be omitted - Better to omit data than provide incorrect data The SLSA library uses *time.Time with omitempty, so nil values will be properly omitted from the JSON output. Co-authored-by: Ona <noreply@gitpod.io> Co-authored-by: Ona <no-reply@ona.com>
Add UploadFile(ctx, filePath, key) method to RemoteCache interface to remove the mock object workaround in upload.go. Changes: - Add UploadFile method to RemoteCache interface with documentation - Implement in S3Cache with rate limiting and timeout handling - Implement in GSUtilCache using gsutil cp command - Implement in NoRemoteCache as no-op - Simplify upload.go by removing 87 lines of mock object code (mockCachePackage, mockLocalCache, uploadFileToS3, uploadToS3Cache) - Remove unused remote package import from upload.go The refactoring makes the code cleaner and more maintainable while preserving the exact same upload behavior. All tests pass. Co-authored-by: Ona <noreply@gitpod.io> Co-authored-by: Ona <no-reply@ona.com>
geropl
reviewed
Oct 22, 2025
| } | ||
|
|
||
| // Upload artifact first using the new UploadFile method | ||
| if err := u.remoteCache.UploadFile(ctx, artifactPath, artifactKey); err != nil { |
geropl
approved these changes
Oct 22, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Adds the
leeway plumbing sign-cachecommand for signing cache artifacts with SLSA v0.2 attestations, completing the SLSA Level 3 implementation started in PR #242 and PR #243.Changes
sign-cachecommand: CLI for signing cache artifacts from manifest files.attfiles to S3 cacheBuilds on existing cache verification (PR #242) and in-flight checksumming (PR #243) to provide complete signing infrastructure for separated CI jobs.
Related Issue(s)
Completes SLSA Level 3 cache artifact signing implementation.
Fixes https://linear.app/ona-team/issue/CLC-1959/create-leeway-signing-command
How to test
Basic functionality: