We are trying to tighten up our build-deploy cycle for PCI purposes and part of what we need to address is the question “How can you prove that the code you built is the code you deployed?”.
We need to be concerned about the integrity of the entire git -> jenkins -> octopus -> servers pipeline, but for the purpose of this question, I’d like to focus on how to prove/document that the artifacts that were built by Jenkins and pushed to Octopus are the same that get deployed.
One idea that I have is to use the internal Octopus Repository, as that seems to calculate the SHA1 of packages stored in it. At deploy time, we would like display the calculated SHA1 of the package (“actual”) and compare that with a value that was calculated by Jenkins (“expected”). The “Deploy a package” step should fail if there was deviance between the expected and actual.
Is this possible? Are their alternate ways of proving this integrity?