fix: move provenance handling after packaging phase

leodido · ona-agent · leodido · commit cdb25183a4ff · 2025-11-20T10:28:20.000+01:00
Ensures provenance subjects accurately reflect the final artifact
contents by computing them after the packaging phase removes
temporary build artifacts like _deps/.

Previously, subjects were computed before packaging, causing a
mismatch where provenance included files (e.g., _deps/) that were
not present in the final tar.gz artifact.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/pkg/leeway/build.go b/pkg/leeway/build.go
@@ -1051,32 +1051,13 @@ func (p *Package) build(buildctx *buildContext) (err error) {
 		}
 	}
 
-	// Handle provenance subjects
-	if p.C.W.Provenance.Enabled {
-		if err := handleProvenance(p, buildctx, builddir, bld, sources, now); err != nil {
-			return err
-		}
-	}
-
-	// Generate SBOM if enabled
+	// Generate SBOM if enabled (before packaging)
 	if p.C.W.SBOM.Enabled {
 		if err := writeSBOM(buildctx, p, builddir); err != nil {
 			return err
 		}
 	}
 
-	// Handle test coverage if available
-	if bld.TestCoverage != nil {
-		coverage, funcsWithoutTest, funcsWithTest, err := bld.TestCoverage()
-		if err != nil {
-			return err
-		}
-		pkgRep.TestCoverageAvailable = true
-		pkgRep.TestCoveragePercentage = coverage
-		pkgRep.FunctionsWithoutTest = funcsWithoutTest
-		pkgRep.FunctionsWithTest = funcsWithTest
-	}
-
 	// Package the build results
 	if len(bld.Commands[PackageBuildPhasePackage]) > 0 {
 		if err := executeCommandsForPackage(buildctx, p, builddir, bld.Commands[PackageBuildPhasePackage]); err != nil {
@@ -1092,6 +1073,25 @@ func (p *Package) build(buildctx *buildContext) (err error) {
 		}
 	}
 
+	// Handle provenance subjects (after packaging - artifact now exists)
+	if p.C.W.Provenance.Enabled {
+		if err := handleProvenance(p, buildctx, builddir, bld, sources, now); err != nil {
+			return err
+		}
+	}
+
+	// Handle test coverage if available
+	if bld.TestCoverage != nil {
+		coverage, funcsWithoutTest, funcsWithTest, err := bld.TestCoverage()
+		if err != nil {
+			return err
+		}
+		pkgRep.TestCoverageAvailable = true
+		pkgRep.TestCoveragePercentage = coverage
+		pkgRep.FunctionsWithoutTest = funcsWithoutTest
+		pkgRep.FunctionsWithTest = funcsWithTest
+	}
+
 	// Register newly built package
 	return buildctx.RegisterNewlyBuilt(p)
 }
