CI/CD Interoperability
1. Overview¶
ATTEST integrates seamlessly with existing CI/CD systems, allowing gradual adoption without disrupting current workflows. This section covers integration patterns and migration strategies.
2. Supported Platforms¶
2.1 GitHub Actions¶
name: ATTEST Integration
on: [push, pull_request]
jobs:
attest-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup ATTEST
uses: attest-ci/setup-attest@v1
with:
version: 'latest'
- name: Run ATTEST Pipeline
run: |
attest run --sign --verify
attest upload-receipt --destination ${{ secrets.RECEIPT_STORE }}
- name: Export to GitHub Actions
run: attest pipeline export --format github-actions --output .github/workflows/generated.yml
2.2 GitLab CI¶
stages:
- attest
- deploy
attest:
stage: attest
image: attestci/attest:latest
script:
- attest run --sign --verify
- attest verify receipts/*.yaml --strict
artifacts:
paths:
- .attest/receipts/
reports:
junit: attest-results.xml
deploy:
stage: deploy
dependencies:
- attest
script:
- attest verify receipts/*.yaml --check-signatures
- kubectl apply -f k8s/
2.3 Jenkins¶
pipeline {
agent any
stages {
stage('ATTEST Build') {
steps {
script {
sh 'attest run --sign --verify'
def receiptFiles = sh(
script: 'find .attest/receipts -name "*.yaml"',
returnStdout: true
).trim().split('\n')
receiptFiles.each { receipt ->
sh "attest verify ${receipt} --check-signatures"
}
}
}
}
stage('Deploy') {
when {
expression {
sh(script: 'attest verify receipts/*.yaml --quiet', returnStatus: true) == 0
}
}
steps {
sh 'kubectl apply -f k8s/'
}
}
}
}
3. Export Formats¶
3.1 Generate CI/CD Configurations¶
# Export to various CI/CD platforms
attest pipeline export --format github-actions
attest pipeline export --format gitlab-ci
attest pipeline export --format jenkins
attest pipeline export --format azure-pipelines
attest pipeline export --format circleci
attest pipeline export --format buildkite
3.2 Docker Compose¶
# Generate Docker Compose for local development
attest pipeline export --format docker-compose --output docker-compose.yml
# Generated docker-compose.yml
version: '3.8'
services:
attest-build:
image: attestci/attest:latest
volumes:
- .:/workspace
working_dir: /workspace
command: ["attest", "run", "--sign", "--verify"]
4. Hybrid Workflows¶
4.1 Gradual Migration¶
# Phase 1: Parallel execution
name: Hybrid CI/CD
on: [push]
jobs:
existing-build:
runs-on: ubuntu-latest
steps:
- name: Traditional Build
run: npm run build
attest-build:
runs-on: ubuntu-latest
steps:
- name: ATTEST Build
run: attest run --sign
continue-on-error: true # Don't fail if ATTEST has issues
compare-results:
needs: [existing-build, attest-build]
runs-on: ubuntu-latest
steps:
- name: Compare Outputs
run: |
# Compare build artifacts between traditional and ATTEST builds
diff -r traditional-dist/ attest-dist/ || true
4.2 Conditional ATTEST Usage¶
# Use ATTEST for production, traditional CI for development
jobs:
build:
runs-on: ubuntu-latest
steps:
- if: github.ref == 'refs/heads/main'
name: Production Build (ATTEST)
run: attest run --sign --verify --strict
- if: github.ref != 'refs/heads/main'
name: Development Build (Traditional)
run: |
npm install
npm test
npm run build
5. Legacy System Integration¶
5.1 Wrapper Scripts¶
#!/bin/bash
# attest-wrapper.sh - Wrap existing build scripts
set -e
# Initialize ATTEST if not already done
if [ ! -f "attest.yaml" ]; then
attest init --from-existing
fi
# Run ATTEST pipeline that calls existing scripts
attest run --sign --verify
# Verify results
attest verify receipts/*.yaml --check-signatures
echo "Build completed with ATTEST verification"
5.2 Makefile Integration¶
# Existing Makefile with ATTEST integration
.PHONY: build test deploy attest-build
# Traditional targets
build:
npm run build
test:
npm test
# ATTEST targets
attest-build:
attest run --sign --verify
# Hybrid target
secure-build: attest-build
@echo "Build completed with cryptographic verification"
# Deployment with verification
deploy: secure-build
attest verify receipts/*.yaml --check-signatures
kubectl apply -f k8s/
6. Tool Integration¶
6.1 Docker Integration¶
# Multi-stage build with ATTEST
FROM attestci/attest:latest AS attest-stage
WORKDIR /app
COPY . .
RUN attest run --sign --verify
FROM node:18-alpine AS runtime
WORKDIR /app
COPY --from=attest-stage /app/dist ./dist
COPY --from=attest-stage /app/.attest/receipts ./receipts
COPY package*.json ./
RUN npm ci --production
EXPOSE 3000
CMD ["node", "dist/server.js"]
6.2 Kubernetes Integration¶
# Kubernetes Job for ATTEST builds
apiVersion: batch/v1
kind: Job
metadata:
name: attest-build
spec:
template:
spec:
containers:
- name: attest
image: attestci/attest:latest
command: ["attest", "run", "--sign", "--verify"]
volumeMounts:
- name: source-code
mountPath: /workspace
env:
- name: ATTEST_SIGNING_KEY
valueFrom:
secretKeyRef:
name: attest-keys
key: signing-key
volumes:
- name: source-code
configMap:
name: source-code
restartPolicy: Never
6.3 Terraform Integration¶
# Terraform configuration for ATTEST infrastructure
resource "kubernetes_namespace" "attest" {
metadata {
name = "attest-system"
}
}
resource "helm_release" "attest_controller" {
name = "attest-controller"
repository = "https://charts.attest.continuu.ms"
chart = "attest-controller"
namespace = kubernetes_namespace.attest.metadata[0].name
values = [
templatefile("${path.module}/attest-values.yaml", {
signing_key = var.attest_signing_key
policy_bundle = var.policy_bundle_url
})
]
}
7. Migration Strategies¶
7.1 Phased Migration¶
# Phase 1: Add ATTEST alongside existing CI
attest init --coexist
git add attest.yaml .attest/
git commit -m "Add ATTEST configuration"
# Phase 2: Parallel execution and validation
attest migrate --validate-against-existing
# Phase 3: Switch to ATTEST for critical paths
attest migrate --replace-critical-steps
# Phase 4: Full migration
attest migrate --complete-migration
7.2 Risk Mitigation¶
# Rollback strategy
migration:
fallback:
enabled: true
triggers:
- "attest_failure"
- "verification_failure"
- "performance_degradation"
rollback_script: "./rollback-to-traditional.sh"
monitoring:
enabled: true
metrics:
- "build_duration"
- "success_rate"
- "artifact_integrity"
thresholds:
max_duration_increase: "50%"
min_success_rate: "95%"
8. Performance Comparison¶
8.1 Benchmarking¶
# Compare build performance
attest benchmark compare \
--traditional-script "./traditional-build.sh" \
--attest-pipeline "attest.yaml" \
--iterations 10
# Results:
Metric | Traditional | ATTEST | Difference
--------------------|-------------|-----------|------------
Build Time | 120s | 85s | -29% (faster)
First Run | 120s | 145s | +21% (slower)
Cached Run | 120s | 15s | -87% (faster)
Verification Time | 0s | 5s | +5s
Total Security | Low | High | Improved
8.2 Optimization¶
# Optimize ATTEST performance for existing workflows
attest optimize --baseline traditional-build.sh
attest tune --target-performance 90% --max-verification-time 10s
9. Data Migration¶
9.1 Artifact Migration¶
# Migrate existing artifacts to ATTEST format
attest migrate artifacts \
--from ./build-artifacts/ \
--format auto-detect \
--generate-receipts
# Import CI/CD history
attest import history \
--from jenkins \
--builds-url $JENKINS_URL/job/myproject/ \
--credentials $JENKINS_CREDS
9.2 Configuration Migration¶
# Convert existing CI configuration
attest convert ci-config \
--from .github/workflows/ci.yml \
--to attest.yaml \
--preserve-steps
# Migrate environment variables
attest convert env-vars \
--from docker-compose.yml \
--to .attest/config.yaml
10. Monitoring Integration¶
10.1 Metrics Export¶
# Export ATTEST metrics to existing monitoring
monitoring:
exports:
- type: "prometheus"
endpoint: "http://prometheus:9090"
namespace: "attest"
- type: "datadog"
api_key: "${DATADOG_API_KEY}"
tags: ["env:production", "team:platform"]
- type: "grafana"
dashboard_id: "attest-overview"
datasource: "prometheus"
10.2 Alert Integration¶
# Integrate with existing alerting
alerts:
channels:
- type: "slack"
webhook: "${SLACK_WEBHOOK}"
channel: "#platform-alerts"
- type: "pagerduty"
service_key: "${PAGERDUTY_KEY}"
severity: "critical"
rules:
- name: "verification_failure"
condition: "attest_verification_failed > 0"
action: "page"
11. Best Practices¶
11.1 Integration Guidelines¶
- Start with non-critical workloads for initial testing
- Maintain parallel systems during transition
- Monitor performance impacts and optimize accordingly
- Train teams on ATTEST concepts and workflows
- Establish rollback procedures for migration issues
11.2 Security Considerations¶
- Protect signing keys during migration
- Maintain audit trails for all changes
- Validate integrations don't bypass security controls
- Update access controls for new workflows
- Regular security reviews of hybrid configurations
11.3 Performance Optimization¶
- Use caching effectively to minimize performance impact
- Optimize verification processes for critical paths
- Implement proper monitoring to detect performance regressions
- Consider infrastructure scaling for increased compute needs
- Regular performance testing of integrated workflows
ATTEST's interoperability features ensure smooth integration with existing CI/CD infrastructure while providing enhanced security and verification capabilities.