Add user field to artifact events and download and delete events

[afrittoli]

Changes

Cleaned up some wrong references, left over when moving test events, added both testing and artifact events to spec.md too. Add the user field to the artifact push event and it introduces the artifact pulled and deleted events, both with a user field too.

Partially-fixes: #143

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• [ ] Has the primer doc been updated if a design decision is involved
• [x] Have the JSON schemas been updated if the specification changed
• [x] Has spec version and event versions been updated according to the versioning policy
• [x] Meets the CDEvents contributor standards

[e-backmark-ericsson]

I don't really see why there would need to be an artifact.pulled CDEvent defined. What use case would it serve in a CI/CD context?

[mekhanique]

My $0.02 for what it's worth @e-backmark-ericsson . . .

Artifact pulled (or quarantined as I prefer because an "existing" but "un-useable" artifact helps to ensure that said "bad artifact" is not accidentally re-proxied/re-deployed) should initiate downstream actions that impact deployments (future or existing) for software and services which identifies said artifact within its SBOMs. An upstream deployment/release system could monitor for this event and "mark" said software/service un-useable. Reasons for this could be a high severity security finding such as RCE, a legal (licensing or patent) finding, the artifact becoming un-supported (internally or externally), or any other policy that a company might need to implement within this space, such as not using old major versions of a dependency.

While not "best practices" from a pure CD point of view, automated roll-backs are performed based on some of these events in live systems today. Events in this space enable automation to be created that helps streamline processes that use this model today.

Additionally, a quarantine event could trigger automated dependency update pipelines (such as those that might be done via Dependabot, Update-CLI or as otherwise suggested in #39). That would again streamline the process for companies that need to roll-forward as fast as they can.

[afrittoli]

I don't really see why there would need to be an artifact.pulled CDEvent defined. What use case would it serve in a CI/CD context?

Heh, I might want to be notified if a certain artifact is downloaded.

[mekhanique]

Definitely something an auditor would want to know; security/legal, info sec, regulatory auditor to name a few. Beyond that having a notification that tells me a bogus artifact (replacement entry for a artifact.quarantined object) has been downloaded. Publishing this as an event enables actions such as developer team notifications and initiation of automated dependency pipelines (as mentioned above).

Ref: #144, #143

[afrittoli]

My $0.02 for what it's worth @e-backmark-ericsson . . .

Artifact pulled (or quarantined as I prefer because an "existing" but "un-useable" artifact helps to ensure that said "bad artifact" is not accidentally re-proxied/re-deployed) should initiate downstream actions that impact deployments (future or existing) for software and services which identifies said artifact within its SBOMs. An upstream deployment/release system could monitor for this event and "mark" said software/service un-useable. Reasons for this could be a high severity security finding such as RCE, a legal (licensing or patent) finding, the artifact becoming un-supported (internally or externally), or any other policy that a company might need to implement within this space, such as not using old major versions of a dependency.

While not "best practices" from a pure CD point of view, automated roll-backs are performed based on some of these events in live systems today. Events in this space enable automation to be created that helps streamline processes that use this model today.

Additionally, a quarantine event could trigger automated dependency update pipelines (such as those that might be done via Dependabot, Update-CLI or as otherwise suggested in #39). That would again streamline the process for companies that need to roll-forward as fast as they can.

Thanks. I renamed "pulled" do "downloaded". I will follow up on the idea of "quarantined" in a separate PR

[afrittoli]

@e-backmark-ericsson @xibz ready for review