provenance/doc.go - infra/luci/luci-go - Git at Google

 // Copyright 2022 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 // Package provenance provides API definitions and simple libraries to interface
 // with the APIs.
 //
 // It supports all possible provenance information that are supported currently.
 //
 // Provenance is a metadata about an artifact that provides information to trace
 // a binary back to its sources. It also provides a chain-of-custody as the
 // artifact traverses through multiple systems.
 //
 // Summary
 //
 // Provenance defines APIs for reporting `provenance` metadata, in order to
 // establish a traceable lineage for artifacts produced within the LUCI
 // ecosystem.
 // Artifact provenance is otherwise defined as "metadata which records a
 // snapshot of the build-time states that correspond to an artifact."
 //
 // Usage
 //
 // Service self-report is used by local processes to insert relevant information
 // into provenance. Server side implementation is beyond the scope of this
 // package and is Google-internal.
 //
 // A local git checkout can be reported by:
 //  pClient, _ := client.MakeProvenanceClient(ctx, "http://localhost:port")
 //  reporter := &reporter.Report{RClient: pClient}
 //  ok, err := reporter.ReportGitCheckout(ctx, "https://repo.git", "deadbeef", "refs/heads/example")
 //  if err != nil & !ok {
 //      ...
 //  }
 //
 // This call will return a result back to you, user can implement it in a
 // blocking way to ensure the event was recorded. Failure mode here can be
 // internal error (that would include invalid input) as well as absence of local
 // provenance server.
 //
 // Results here can be:
 //  (true, nil) => report successfully exported
 //  (true, ErrServiceUnavailable) => service unavailable
 //  (false, err) => all other cases
 //
 // This allows users to determine how to interpret failure. A concrete example
 // would be a workload where security policy is set to "enforce" mode, meaning
 // checkout should fail loudly, in this case `ok` status can be ignored.
 // For workloads where this is in "audit" mode, API will return a success ok
 // status when local server isn't configured/unreachable. This is particularly
 // helpful for flexible workloads.
 //
 // Similarly other interfaces of this API can be used to report a variety of
 // interesting things.
 package provenance
	// Copyright 2022 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	// Package provenance provides API definitions and simple libraries to interface
	// with the APIs.
	//
	// It supports all possible provenance information that are supported currently.
	//
	// Provenance is a metadata about an artifact that provides information to trace
	// a binary back to its sources. It also provides a chain-of-custody as the
	// artifact traverses through multiple systems.
	//
	// Summary
	//
	// Provenance defines APIs for reporting `provenance` metadata, in order to
	// establish a traceable lineage for artifacts produced within the LUCI
	// ecosystem.
	// Artifact provenance is otherwise defined as "metadata which records a
	// snapshot of the build-time states that correspond to an artifact."
	//
	// Usage
	//
	// Service self-report is used by local processes to insert relevant information
	// into provenance. Server side implementation is beyond the scope of this
	// package and is Google-internal.
	//
	// A local git checkout can be reported by:
	// pClient, _ := client.MakeProvenanceClient(ctx, "http://localhost:port")
	// reporter := &reporter.Report{RClient: pClient}
	// ok, err := reporter.ReportGitCheckout(ctx, "https://repo.git", "deadbeef", "refs/heads/example")
	// if err != nil & !ok {
	// ...
	// }
	//
	// This call will return a result back to you, user can implement it in a
	// blocking way to ensure the event was recorded. Failure mode here can be
	// internal error (that would include invalid input) as well as absence of local
	// provenance server.
	//
	// Results here can be:
	// (true, nil) => report successfully exported
	// (true, ErrServiceUnavailable) => service unavailable
	// (false, err) => all other cases
	//
	// This allows users to determine how to interpret failure. A concrete example
	// would be a workload where security policy is set to "enforce" mode, meaning
	// checkout should fail loudly, in this case `ok` status can be ignored.
	// For workloads where this is in "audit" mode, API will return a success ok
	// status when local server isn't configured/unreachable. This is particularly
	// helpful for flexible workloads.
	//
	// Similarly other interfaces of this API can be used to report a variety of
	// interesting things.
	package provenance