BUILD-9447 Generation attestation for build actions (#136)

* BUILD-9447 Add provenance attestation to all build actions

- Add generate-provenance and provenance-on-pr input parameters to all 5 build actions
- Add provenance-subject-path override parameter for custom artifact paths
- Implement artifact capture for all build types:
  * Gradle: Search build/libs, distributions, publications directories
  * Maven: Search target directories
  * Poetry: Search dist directory
  * NPM: Copy .tgz to .attestation-artifacts before jf npm publish deletes it
  * Yarn: Copy .tgz to .attestation-artifacts before jf npm publish deletes it
- Add attestation step using actions/[email protected]
- Only generate attestations on default branch (master) or when provenance-on-pr=true
- Update example workflows (sonar-dummy-*, sonar-go-enterprise) to use new parameters
- Add attestations write permission to workflow examples

Author: SamirM-BE

README.md

@@ -890,8 +890,6 @@ jobs:
 - Support for different branch types (default, maintenance, PR, dogfood, long-lived feature)
 - Comprehensive build logging and error handling
 
----
-
 ## `promote`
 
 This action promotes a build in JFrog Artifactory and updates the GitHub status check accordingly.
@@ -1154,6 +1152,68 @@ After running this action, the following environment variables are available:
 - **Smart Cache Management**: Caches smctl installation directory and jsign .deb package for faster subsequent runs
 - **Automatic Setup**: Handles all DigiCert authentication and environment configuration
 
+## Provenance Attestation
+
+The build actions in this repository can automatically generate SLSA build provenance
+attestations for produced artifacts when the build is considered deployable. This feature is
+powered by [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance).
+
+Attestations identify the artifact(s) that serve as the subject of the attestation. The `build-*` actions
+attempt to discover these subjects automatically using conventional build output locations and
+common file types for each ecosystem. Automatic discovery runs only when deployment is enabled.
+The attestation step runs when `provenance` parameter is enabled and artifact paths are available (either via
+`provenance-artifact-paths` or from the build output); otherwise, it is skipped.
+
+### Ecosystem assumptions (automatic discovery)
+
+- Gradle
+  - Locations: `**/build/libs/**`, `**/build/distributions/**`, `**/build/reports/**` (for SBOM JSONs)
+  - File types: `*.jar`, `*.war`, `*.ear`, `*.zip`, `*.tar.gz`, `*.tar`, `*.json`
+  - Exclusions: `*-sources.jar`, `*-javadoc.jar`, `*-tests.jar`
+
+- Maven
+  - Location: `**/<project.build.directory>/**` (queried via Maven); falls back to `target/`
+  - File types: `*.jar`, `*.war`, `*.ear`, `*.zip`, `*.tar.gz`, `*.tar`, `*.pom`, `*.json`
+  - Exclusions: `*-sources.jar`, `*-javadoc.jar`, `*-tests.jar`
+  - Skip rule: if `maven.deploy.skip=true` is effective, attestation is skipped for that module
+
+- Poetry (Python)
+  - Location: `dist/`
+  - File types: `*.whl`, `*.tar.gz`, `*.json`
+
+- NPM
+  - Location: `.attestation-artifacts/`
+  - File types: `*.tgz`
+
+- Yarn
+  - Location: `.attestation-artifacts/`
+  - File types: `*.tgz`
+
+These assumptions are based on widely-used industry conventions and on how artifacts are currently
+published to our Artifactory. They should cover most repositories, but they are not exhaustive. If
+needed, you can customize the paths via the `provenance-artifact-paths` input.
+
+### Manually specify subjects when needed
+
+For complete accuracy, we recommend explicitly specifying the artifacts to attest using the
+`provenance-artifact-paths` input. Repository owners know best what their build produces, so
+providing explicit paths might be sometimes preferable. `provenance-artifact-paths` is passed to
+`actions/attest-build-provenance` as the `subject-path` input. It may be a glob pattern or a
+newline-separated list of paths (total subject count cannot exceed 1024). See upstream docs for
+details and more examples: [`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance).
+
+Example with a build action (same idea applies to other actions):
+
+```yaml
+- uses: SonarSource/ci-github-actions/build-maven@v1
+  with:
+    provenance-artifact-paths: |
+      target/*.jar
+      target/*bom.json
+```
+
+---
+
 ## Release
 
 1. Create a new GitHub release on <https://github.com/SonarSource/ci-github-actions/releases>

build-gradle/action.yml

@@ -58,6 +58,17 @@ inputs:
   disable-caching:
     description: Whether to disable Gradle caching entirely
     default: 'false'
+  provenance:
+    description: Whether to generate provenance attestation for built artifacts
+    default: 'false'
+  provenance-pull-request:
+    description: Whether to generate provenance attestation on pull requests (similar to deploy-pull-request)
+    default: 'false'
+  provenance-artifact-paths:
+    description: >-
+      Relative paths of the artifacts for which to generate a provenance attestation (glob pattern).
+      Default is collected from '*/build/libs/*', '*/build/distributions/*', and '*/build/reports/*'
+    default: ''
 
 outputs:
   project-version:
@@ -69,6 +80,9 @@ outputs:
   deployed:
     description: Whether artifacts were deployed
     value: ${{ steps.build.outputs.deployed }}
+  artifact-paths:
+    description: Newline-separated list of artifact paths for provenance attestation
+    value: ${{ steps.build.outputs.artifact-paths }}
 
 runs:
   using: composite
@@ -230,6 +244,15 @@ runs:
         name: problems-report-${{ github.job }}${{ strategy.job-index }}
         path: build/reports/problems/problems-report.html
         if-no-files-found: ignore
+    - name: Generate provenance attestation
+      if: >-
+        ${{ inputs.provenance == 'true' && steps.build.outputs.deployed == 'true' &&
+            (inputs.provenance-artifact-paths != '' || steps.build.outputs.artifact-paths != '') }}
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: >-
+          ${{ inputs.provenance-artifact-paths != '' && inputs.provenance-artifact-paths || steps.build.outputs.artifact-paths }}
+        show-summary: true
 
     - name: Generate workflow summary
       if: always()

build-gradle/build.sh

@@ -227,6 +227,7 @@ gradle_build_and_analyze() {
   "$GRADLE_CMD" "${gradle_args[@]}"
   if should_deploy; then
     echo "deployed=true" >> "$GITHUB_OUTPUT"
+    export_built_artifacts
   fi
 }
 
@@ -254,6 +255,47 @@ gradle_build() {
   fi
 }
 
+export_built_artifacts() {
+  if ! should_deploy; then
+    return 0
+  fi
+
+  echo "::group::Capturing built artifacts for attestation"
+
+  # Find all built artifacts, excluding sources/javadoc/tests JARs
+  local artifacts find_bin
+  find_bin="/bin/find"
+  if [[ ! -x "$find_bin" ]]; then
+    find_bin="/usr/bin/find"
+  fi
+  artifacts=$("$find_bin" . \( -path '*/build/libs/*' -o -path '*/build/distributions/*' -o -path '*/build/reports/*' \) \
+    \( -name '*.jar' -o -name '*.war' -o -name '*.ear' -o -name '*.zip' -o -name '*.tar.gz' -o -name '*.tar' -o -name '*.json' \) \
+    ! -name '*-sources.jar' ! -name '*-javadoc.jar' ! -name '*-tests.jar' \
+    -type f 2>/dev/null)
+
+  # Sort and deduplicate (avoid Windows sort.exe)
+  if [[ -n "$artifacts" ]]; then
+    artifacts=$(echo "$artifacts" | /usr/bin/sort -u)
+  fi
+
+  if [[ -z "$artifacts" ]]; then
+    echo "::warning title=No artifacts found::No artifacts found for attestation in build output directories"
+    echo "::endgroup::"
+    return 0
+  fi
+
+  echo "Found artifacts for attestation:"
+  echo "$artifacts"
+
+  {
+    echo "artifact-paths<<EOF"
+    echo "$artifacts"
+    echo "EOF"
+  } >> "$GITHUB_OUTPUT"
+
+  echo "::endgroup::"
+}
+
 main() {
   check_tool java -version
   set_gradle_cmd

build-maven/action.yml

@@ -58,13 +58,27 @@ inputs:
   disable-caching:
     description: Whether to disable Maven caching entirely
     default: 'false'
+  provenance:
+    description: Whether to generate provenance attestation for built artifacts
+    default: 'false'
+  provenance-pull-request:
+    description: Whether to generate provenance attestation on pull requests (similar to deploy-pull-request)
+    default: 'false'
+  provenance-artifact-paths:
+    description: >-
+      Relative paths of the artifacts for which to generate a provenance attestation (glob pattern).
+      Default is collected from '*/target/*' (or custom build directory from pom.xml)
+    default: ''
 outputs:
   BUILD_NUMBER:
     description: The build number, incremented or reused if already cached
     value: ${{ steps.config.outputs.BUILD_NUMBER }}
   deployed:
     description: Whether artifacts were deployed
     value: ${{ steps.build.outputs.deployed }}
+  artifact-paths:
+    description: Newline-separated list of artifact paths for provenance attestation
+    value: ${{ steps.build.outputs.artifact-paths }}
 
 runs:
   using: composite
@@ -161,6 +175,16 @@ runs:
         rm -rf "$MAVEN_CONFIG/repository/com/sonarsource/"
         /usr/bin/find "$MAVEN_CONFIG/repository" -name resolver-status.properties -delete
 
+    - name: Generate provenance attestation
+      if: >-
+        ${{ inputs.provenance == 'true' && steps.build.outputs.deployed == 'true' &&
+            (inputs.provenance-artifact-paths != '' || steps.build.outputs.artifact-paths != '') }}
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: >-
+          ${{ inputs.provenance-artifact-paths != '' && inputs.provenance-artifact-paths || steps.build.outputs.artifact-paths }}
+        show-summary: true
+
     - name: Generate workflow summary
       if: always()
       shell: bash

build-maven/build.sh

@@ -174,6 +174,7 @@ build_maven() {
 
   if should_deploy; then
     echo "deployed=true" >> "$GITHUB_OUTPUT"
+    export_built_artifacts
   fi
 
   # Execute SonarQube analysis if enabled
@@ -189,6 +190,52 @@ build_maven() {
   fi
 }
 
+export_built_artifacts() {
+  local deployed
+  deployed=$(grep "deployed=" "$GITHUB_OUTPUT" 2>/dev/null | cut -d= -f2)
+  [[ "$deployed" != "true" ]] && return 0
+
+  echo "::group::Capturing built artifacts for attestation"
+
+  # Query Maven for build directory name, fallback to 'target'
+  local build_dir
+  build_dir=$(mvn help:evaluate -Dexpression=project.build.directory -q -DforceStdout 2>/dev/null | xargs basename 2>/dev/null || echo "target")
+  echo "Scanning for artifacts in: */${build_dir}/*"
+
+  # Find all built artifacts (excluding sources, javadoc, tests)
+  local artifacts find_bin
+  find_bin="/bin/find"
+  if [[ ! -x "$find_bin" ]]; then
+    find_bin="/usr/bin/find"
+  fi
+  artifacts=$("$find_bin" . -path "*/${build_dir}/*" \
+    \( -name '*.jar' -o -name '*.war' -o -name '*.ear' -o -name '*.zip' -o -name '*.tar.gz' -o -name '*.tar' -o -name '*.pom' -o -name '*.asc' -o -name '*.json' \) \
+    ! -name '*-sources.jar' ! -name '*-javadoc.jar' ! -name '*-tests.jar' \
+    -type f 2>/dev/null)
+
+  # Sort and deduplicate (avoid Windows sort.exe)
+  if [[ -n "$artifacts" ]]; then
+    artifacts=$(echo "$artifacts" | /usr/bin/sort -u)
+  fi
+
+  if [[ -z "$artifacts" ]]; then
+    echo "::warning title=No artifacts found::No artifacts found for attestation in build output directories"
+    echo "::endgroup::"
+    return 0
+  fi
+
+  echo "Found artifacts for attestation:"
+  echo "$artifacts"
+
+  {
+    echo "artifact-paths<<EOF"
+    echo "$artifacts"
+    echo "EOF"
+  } >> "$GITHUB_OUTPUT"
+
+  echo "::endgroup::"
+}
+
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
   build_maven "$@"
 fi

build-npm/action.yml

@@ -42,6 +42,17 @@ inputs:
   build-name:
     description: Name of the build to publish. Defaults to the repository name.
     default: ''
+  provenance:
+    description: Whether to generate provenance attestation for built artifacts
+    default: 'false'
+  provenance-pull-request:
+    description: Whether to generate provenance attestation on pull requests (similar to deploy-pull-request)
+    default: 'false'
+  provenance-artifact-paths:
+    description: >-
+      Relative paths of the artifacts for which to generate a provenance attestation (glob pattern).
+      Default is collected from '.attestation-artifacts/' directory
+    default: ''
 
 outputs:
   BUILD_NUMBER:
@@ -53,6 +64,12 @@ outputs:
   project-version:
     description: The project version with build number (after replacement). Also set as environment variable PROJECT_VERSION.
     value: ${{ steps.config.outputs.project-version }}
+  deployed:
+    description: Whether artifacts were deployed
+    value: ${{ steps.build.outputs.deployed }}
+  artifact-paths:
+    description: Newline-separated list of artifact paths for provenance attestation
+    value: ${{ steps.build.outputs.artifact-paths }}
 
 runs:
   using: composite
@@ -153,6 +170,16 @@ runs:
         path: ~/.npm/_logs/
         if-no-files-found: ignore
 
+    - name: Generate provenance attestation
+      if: >-
+        ${{ inputs.provenance == 'true' && steps.build.outputs.deployed == 'true' &&
+            (inputs.provenance-artifact-paths != '' || steps.build.outputs.artifact-paths != '') }}
+      uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: >-
+          ${{ inputs.provenance-artifact-paths != '' && inputs.provenance-artifact-paths || steps.build.outputs.artifact-paths }}
+        show-summary: true
+
     - name: Generate workflow summary
       if: always()
       shell: bash