Implement ledger metrics for observability and add tests for Ruby packages endpoints

- Added `LedgerMetrics` class to record write latency and total events for ledger operations.
- Created comprehensive tests for Ruby packages endpoints, covering scenarios for missing inventory, successful retrieval, and identifier handling.
- Introduced `TestSurfaceSecretsScope` for managing environment variables during tests.
- Developed `ProvenanceMongoExtensions` for attaching DSSE provenance and trust information to event documents.
- Implemented `EventProvenanceWriter` and `EventWriter` classes for managing event provenance in MongoDB.
- Established MongoDB indexes for efficient querying of events based on provenance and trust.
- Added models and JSON parsing logic for DSSE provenance and trust information.

scripts/publish_attestation_with_provenance.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Inputs (typically provided by CI/CD)
+IMAGE_REF="${IMAGE_REF:?missing IMAGE_REF}"           # e.g. ghcr.io/org/app:tag
+ATTEST_PATH="${ATTEST_PATH:?missing ATTEST_PATH}"     # DSSE envelope file path
+REKOR_URL="${REKOR_URL:-https://rekor.sigstore.dev}"
+KEY_REF="${KEY_REF:-cosign.key}"                      # could be KMS / keyless etc.
+OUT_META_JSON="${OUT_META_JSON:-provenance-meta.json}"
+
+# 1) Upload DSSE envelope to Rekor with JSON output
+rekor-cli upload \
+  --rekor_server "${REKOR_URL}" \
+  --artifact "${ATTEST_PATH}" \
+  --type dsse \
+  --format json > rekor-upload.json
+
+LOG_INDEX=$(jq '.LogIndex' rekor-upload.json)
+UUID=$(jq -r '.UUID' rekor-upload.json)
+INTEGRATED_TIME=$(jq '.IntegratedTime' rekor-upload.json)
+
+# 2) Compute envelope SHA256
+ENVELOPE_SHA256=$(sha256sum "${ATTEST_PATH}" | awk '{print $1}')
+
+# 3) Extract key metadata (example for local file key; adapt for Fulcio/KMS)
+# For keyless/Fulcio you’d normally extract cert from cosign verify-attestation.
+KEY_ID="${KEY_ID:-${KEY_REF}}"
+KEY_ALGO="${KEY_ALGO:-unknown}"
+KEY_ISSUER="${KEY_ISSUER:-unknown}"
+
+# 4) Optional: resolve image digest (if not already known in CI)
+IMAGE_DIGEST="${IMAGE_DIGEST:-}"
+if [ -z "${IMAGE_DIGEST}" ]; then
+  IMAGE_DIGEST="$(cosign triangulate "${IMAGE_REF}")"
+fi
+
+# 5) Emit provenance sidecar
+cat > "${OUT_META_JSON}" <<EOF
+{
+  "subject": {
+    "imageRef": "${IMAGE_REF}",
+    "digest": {
+      "sha256": "${IMAGE_DIGEST}"
+    }
+  },
+  "attestation": {
+    "path": "${ATTEST_PATH}",
+    "envelopeDigest": "sha256:${ENVELOPE_SHA256}",
+    "payloadType": "application/vnd.in-toto+json"
+  },
+  "dsse": {
+    "envelopeDigest": "sha256:${ENVELOPE_SHA256}",
+    "payloadType": "application/vnd.in-toto+json",
+    "key": {
+      "keyId": "${KEY_ID}",
+      "issuer": "${KEY_ISSUER}",
+      "algo": "${KEY_ALGO}"
+    },
+    "rekor": {
+      "logIndex": ${LOG_INDEX},
+      "uuid": "${UUID}",
+      "integratedTime": ${INTEGRATED_TIME}
+    }
+  }
+}
+EOF
+
+echo "Provenance metadata written to ${OUT_META_JSON}"