feat(attestation): Include attestation output automatically on GitHub and GitLab reports (#2668)

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Author: javirln

app/cli/cmd/attestation_push.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 
+	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -37,6 +38,7 @@ func newAttestationPushCmd() *cobra.Command {
 		signServerAuthCertPath string
 		signServerAuthCertPass string
 		bypassPolicyCheck      bool
+		deactivateCIReport     bool
 	)
 
 	cmd := &cobra.Command{
@@ -106,15 +108,29 @@ func newAttestationPushCmd() *cobra.Command {
 
 			res.Status.Digest = res.Digest
 
-			// If we are returning the json format, we also want to render the attestation table as one property so it can also be consumed
-			if flagOutputFormat == output.FormatJSON {
-				// Render the attestation status to a string
-				buf := &bytes.Buffer{}
-				if err := fullStatusTableWithWriter(res.Status, buf); err != nil {
-					return fmt.Errorf("failed to render output: %w", err)
-				}
+			// Render the attestation status to a string
+			buf := &bytes.Buffer{}
+			if err := fullStatusTableWithWriter(res.Status, buf); err != nil {
+				return fmt.Errorf("failed to render output: %w", err)
+			}
 
-				res.Status.TerminalOutput = buf.Bytes()
+			res.Status.TerminalOutput = buf.Bytes()
+
+			// Report to CI/CD platform if supported and not disabled
+			if !deactivateCIReport && !res.Status.DryRun && res.Status.RunnerContext != nil {
+				// Clean up possible ANSI characters from the output
+				sanitizedOutput := removeAnsiCharactersFromBytes(res.Status.TerminalOutput)
+				if err := res.Status.RunnerContext.RawRunner.Report(sanitizedOutput); err != nil {
+					logger.Warn().Err(err).Msg("failed to write CI/CD platform report")
+				} else {
+					// Log success message based on runner type
+					switch res.Status.RunnerContext.RawRunner.ID() {
+					case schemaapi.CraftingSchema_Runner_GITHUB_ACTION:
+						logger.Info().Msg("attestation report written to GitHub step summary")
+					case schemaapi.CraftingSchema_Runner_GITLAB_PIPELINE:
+						logger.Info().Msg("attestation report written to chainloop-attestation-report.txt artifact")
+					}
+				}
 			}
 
 			// In TABLE format, we render the attestation status
@@ -160,6 +176,7 @@ func newAttestationPushCmd() *cobra.Command {
 	cmd.Flags().StringVar(&signServerAuthCertPath, "signserver-client-cert", "", "path to client certificate in PEM format for authenticated SignServer TLS connection")
 	cmd.Flags().StringVar(&signServerAuthCertPass, "signserver-client-pass", "", "certificate passphrase for authenticated SignServer TLS connection")
 	cmd.Flags().BoolVar(&bypassPolicyCheck, exceptionFlagName, false, "do not fail this command on policy violations enforcement")
+	cmd.Flags().BoolVar(&deactivateCIReport, "deactivate-ci-report", false, "deactivate automatic attestation report to CI/CD platform")
 
 	return cmd
 }

app/cli/cmd/attestation_status.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"regexp"
 	"slices"
 	"strings"
 	"time"
@@ -302,3 +303,11 @@ func versionStringAttFinal(p *action.ProjectVersion) string {
 
 	return p.Version
 }
+
+// removeAnsiCharactersFromBytes removes ANSI escape codes from bytes slices.
+// Credits to: https://github.com/acarl005/stripansi
+func removeAnsiCharactersFromBytes(input []byte) []byte {
+	const ansiPattern = "[\u001B\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\u0007)|(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))"
+	re := regexp.MustCompile(ansiPattern)
+	return re.ReplaceAll(input, []byte(""))
+}

app/cli/documentation/cli-reference.mdx

@@ -341,6 +341,7 @@ Options
 --annotation strings              additional annotation in the format of key=value
 --attestation-id string           Unique identifier of the in-progress attestation
 --bundle string                   output a Sigstore bundle to the provided path
+--deactivate-ci-report            deactivate automatic attestation report to CI/CD platform
 --exception-bypass-policy-check   do not fail this command on policy violations enforcement
 -h, --help                            help for push
 -k, --key string                      reference (path or env variable name) to the cosign or KMS key that will be used to sign the attestation

app/cli/pkg/action/attestation_push.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2024 The Chainloop Authors.
+// Copyright 2024-2025 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

app/cli/pkg/action/attestation_status.go

@@ -66,6 +66,7 @@ type AttestationStatusResult struct {
 type AttestationResultRunnerContext struct {
 	EnvVars            map[string]string
 	JobURL, RunnerType string
+	RawRunner          crafter.SupportedRunner
 }
 
 type AttestationStatusWorkflowMeta struct {
@@ -202,6 +203,7 @@ func (action *AttestationStatus) Run(ctx context.Context, attestationID string,
 		EnvVars:    runnerEnvVars,
 		RunnerType: att.RunnerType.String(),
 		JobURL:     att.RunnerUrl,
+		RawRunner:  c.Runner,
 	}
 
 	return res, nil

pkg/attestation/crafter/runner.go

@@ -58,6 +58,10 @@ type SupportedRunner interface {
 	// Returns nil if verification is not supported or not applicable for this runner.
 	// Non-blocking: errors are logged and returned as unavailable status.
 	VerifyCommitSignature(ctx context.Context, commitHash string) *commitverification.CommitVerification
+
+	// Report writes attestation table output to platform-specific location.
+	// Returns nil if platform doesn't support reporting.
+	Report(tableOutput []byte) error
 }
 
 type RunnerM map[schemaapi.CraftingSchema_Runner_RunnerType]SupportedRunner

pkg/attestation/crafter/runners/azurepipeline.go

@@ -101,3 +101,7 @@ func (r *AzurePipeline) Environment() RunnerEnvironment {
 func (r *AzurePipeline) VerifyCommitSignature(_ context.Context, _ string) *commitverification.CommitVerification {
 	return nil // Not supported for this runner
 }
+
+func (r *AzurePipeline) Report(_ []byte) error {
+	return nil
+}

pkg/attestation/crafter/runners/circleci_build.go

@@ -81,3 +81,7 @@ func (r *CircleCIBuild) Environment() RunnerEnvironment {
 func (r *CircleCIBuild) VerifyCommitSignature(_ context.Context, _ string) *commitverification.CommitVerification {
 	return nil // Not supported for this runner
 }
+
+func (r *CircleCIBuild) Report(_ []byte) error {
+	return nil
+}

pkg/attestation/crafter/runners/daggerpipeline.go

@@ -181,3 +181,7 @@ func (r *DaggerPipeline) verifyCommitViaGitLab(ctx context.Context, commitHash s
 	// Call GitLab API to verify commit
 	return commitverification.VerifyGitLabCommit(ctx, baseURL, projectPath, commitHash, token, r.logger)
 }
+
+func (r *DaggerPipeline) Report(_ []byte) error {
+	return nil
+}

pkg/attestation/crafter/runners/generic.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2023-2026 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -65,3 +65,7 @@ func (r *Generic) Environment() RunnerEnvironment {
 func (r *Generic) VerifyCommitSignature(_ context.Context, _ string) *commitverification.CommitVerification {
 	return nil // Not supported for this runner
 }
+
+func (r *Generic) Report(_ []byte) error {
+	return nil
+}