Build Type: Jenkins
This is a SLSA Provenance buildType
that describes the execution of a Jenkins workflow.
This build type was inspired by the GitHub Actions build type described here.
Description
"buildType": "https://docs.cimon.build/provenance/buildtypes/jenkins/v1"
The Jenkins build type describes the execution of a Jenkins workflow that builds a software artifact.
Build Definition
External parameters
All external parameters are REQUIRED unless empty.
Parameter | Type | Description |
---|---|---|
workflow | object | The workflow that was run |
workflow.name | string | The full name of the Jenkins job |
workflow.repository | string | URI of the git repository (if exists) |
workflow.ref | string | A git reference to the commit (if exists) |
workflow.filePath | string | - |
job | object | The currently running stage of the Jenkins job |
job.jobName | string | The stage name currently running |
job.jobId | string | - |
build | object | The specific build that generated the provenance |
build.buildRun | string | The build run ID |
build.buildRunAttempt | string | - |
build.buildUrl | string | The full web URL for the build |
Example:
"externalParameters": {
"workflow": {
"name": "cimon-attest-tests/cimon-attest-pipeline-github",
"repository": "https://github.com/cycodelabs/cimon-attest-jenkins-tests",
"ref": "main"
},
"job": {
"jobName": "Cimon Attest"
},
"build": {
"buildRun": "3",
"buildUrl": "http://jenkins.server/job/cimon-attest-tests/job/cimon-attest-pipeline-github/3/"
}
}
Internal parameters
All internal parameters are OPTIONAL.
The internal parameters contain the CI environment variables as they appear in the build. This is how the internal parameters look for this type of build type:
"internalParameters": {
"BRANCH_NAME": "main",
"BUILD_ID": "67",
"BUILD_NUMBER": "67",
"BUILD_TAG": "jenkins-cimon-ci-attest-main-67",
"BUILD_URL": "https://this.is.jenkins.host/job/cimon-ci-attest/job/main/67/",
"EXECUTOR_NUMBER": "0",
"GIT_BRANCH": "main",
"GIT_COMMIT": "bd0a6b8f5265c0da2c1a3224918e86dfb5d30333",
"GIT_URL": "https://github.com/cycodelabs/cimon-attest-jenkins-tests.git",
"JENKINS_URL": "https://this.is.jenkins.host/",
"JOB_BASE_NAME": "main",
"JOB_NAME": "cimon-ci-attest/main",
"JOB_URL": "https://this.is.jenkins.host/job/cimon-ci-attest/job/main/",
"NODE_NAME": "jenkins-agent",
"STAGE_NAME": "Cimon Attest",
"WORKSPACE": "/home/ubuntu/jenkins_home/workspace/cimon-ci-attest_main"
}
Resolved Dependencies
The resolvedDependencies SHOULD contain an entry identifying the resolved git commit ID corresponding to externalParameters.workflow
. The dependency's URI MUST be in SPDX Download Location format, i.e., "git+" + workflow.uri + "@" + workflow.ref.
Example:
"resolvedDependencies": [
{
"uri": "git+https://github.com/cycodelabs/cimon-attest-jenkins-tests@origin/main",
"digest": {
"gitCommit": "d1f094f11a55eb186b4900871740848a773a4924"
},
"annotations": {
"signedStatus": "signed",
"gpgKeyId": "B5690EEEBB952194"
}
}
]
Each referenced commit contains signing information as well. The signedStatus
field will receive one of three values:
signed
: Confirmed that the commit is signed. In that case,gpgKeyId
will also be included. The GPG Key ID should look similar to the command output:git log --show-signature -s
.unsigned
: Confirmed that the commit is not signed.unknown
: The commit signing information could not be verified.
Run Details
Builder
The builder.id
MUST represent the entity that generated the provenance, as per the SLSA Provenance documentation. In the case of Jenkins, this should represent the agent that have been running the build. Based on this information, the provenance consumer can decide whether the build environment is secure enough to trust the produced attestation.
Example:
"builder": {
"id": "http://jenkins.server/computer/jenkins-agent"
}
Metadata
The invocationId
SHOULD be set to the Jenkins URL for the specific run.
Example:
"metadata": {
"invocationID": "https://github.com/cycodelabs/cimon/actions/runs/5706737730/attempts/1",
}