Skip to content

Commit 012eb62

Browse files
committed
refactor(api): remove deprecated attestation and bundle fields from Store
Closes #3055 The AttestationServiceStoreRequest previously carried three representations of the same payload: the raw DSSE envelope, the original Sigstore bundle (with the signature bug from #1832), and the fixed attestation bundle. Only attestation_bundle is consumed today; the other two have been deprecated since June 2025 and the fixed bundle has been available since February 2025. This removes the deprecated fields and their fallback paths in the CLI, controlplane service/biz/data layers, and the attestation helper package, cutting the gRPC request size by ~3x for the same logical payload. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
1 parent 433d7b2 commit 012eb62

13 files changed

Lines changed: 78 additions & 244 deletions

app/cli/pkg/action/attestation_push.go

Lines changed: 5 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -263,7 +263,7 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
263263

264264
workflow := crafter.CraftingState.Attestation.GetWorkflow()
265265

266-
attestationResult.Digest, err = pushToControlPlane(ctx, action.CPConnection, envelope, bundle, workflow.GetWorkflowRunId(), workflow.GetVersion().GetMarkAsReleased())
266+
attestationResult.Digest, err = pushToControlPlane(ctx, action.CPConnection, bundle, workflow.GetWorkflowRunId(), workflow.GetVersion().GetMarkAsReleased())
267267
if err != nil {
268268
return nil, fmt.Errorf("pushing to control plane: %w", err)
269269
}
@@ -303,32 +303,17 @@ func (action *AttestationPush) saveBundle(bundle *protobundle.Bundle) error {
303303
return nil
304304
}
305305

306-
func pushToControlPlane(ctx context.Context, conn *grpc.ClientConn, envelope *dsse.Envelope, bundle *protobundle.Bundle, workflowRunID string, markVersionAsReleased bool) (string, error) {
307-
encodedBundle, err := encodeBundle(bundle)
308-
if err != nil {
309-
return "", fmt.Errorf("encoding attestation: %w", err)
310-
}
311-
312-
client := pb.NewAttestationServiceClient(conn)
313-
314-
// if endpoint doesn't accept the bundle, we still send the plain attestation for backwards compatibility
315-
encodedAttestation, err := encodeEnvelope(envelope)
316-
if err != nil {
317-
return "", fmt.Errorf("encoding attestation: %w", err)
318-
}
319-
306+
func pushToControlPlane(ctx context.Context, conn *grpc.ClientConn, bundle *protobundle.Bundle, workflowRunID string, markVersionAsReleased bool) (string, error) {
320307
// remove additional base64 encoding in signature. See https://github.com/chainloop-dev/chainloop/issues/1832
321308
attestation.FixSignatureInBundle(bundle)
322-
encodedFixedBundle, err := encodeBundle(bundle)
309+
encodedBundle, err := encodeBundle(bundle)
323310
if err != nil {
324311
return "", fmt.Errorf("encoding attestation: %w", err)
325312
}
326313

327-
// Store bundle next versions will perform this in a single call)
314+
client := pb.NewAttestationServiceClient(conn)
328315
resp, err := client.Store(ctx, &pb.AttestationServiceStoreRequest{
329-
Attestation: encodedAttestation,
330-
Bundle: encodedBundle,
331-
AttestationBundle: encodedFixedBundle,
316+
AttestationBundle: encodedBundle,
332317
WorkflowRunId: workflowRunID,
333318
MarkVersionAsReleased: &markVersionAsReleased,
334319
})
@@ -339,10 +324,6 @@ func pushToControlPlane(ctx context.Context, conn *grpc.ClientConn, envelope *ds
339324
return resp.Result.Digest, nil
340325
}
341326

342-
func encodeEnvelope(e *dsse.Envelope) ([]byte, error) {
343-
return json.Marshal(e)
344-
}
345-
346327
func encodeBundle(b *protobundle.Bundle) ([]byte, error) {
347328
return protojson.Marshal(b)
348329
}

app/controlplane/api/controlplane/v1/workflow_run.pb.go

Lines changed: 4 additions & 30 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/controlplane/v1/workflow_run.proto

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
//
2-
// Copyright 2024-2025 The Chainloop Authors.
2+
// Copyright 2024-2026 The Chainloop Authors.
33
//
44
// Licensed under the Apache License, Version 2.0 (the "License");
55
// you may not use this file except in compliance with the License.
@@ -157,16 +157,15 @@ message AttestationServiceInitResponse {
157157
}
158158

159159
message AttestationServiceStoreRequest {
160-
// encoded DSEE envelope
161-
bytes attestation = 1 [deprecated = true];
162-
// deprecated because of https://github.com/chainloop-dev/chainloop/issues/1832
163-
bytes bundle = 4 [deprecated = true];
164160
// encoded Sigstore attestation bundle
165161
bytes attestation_bundle = 5;
166162

167163
string workflow_run_id = 2 [(buf.validate.field).string = {min_len: 1}];
168164
// mark the associated version as released
169165
optional bool mark_version_as_released = 3;
166+
167+
reserved 1, 4;
168+
reserved "attestation", "bundle";
170169
}
171170

172171
message AttestationServiceStoreResponse {

app/controlplane/api/controlplane/v1/workflow_run_grpc.pb.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/frontend/controlplane/v1/workflow_run.ts

Lines changed: 1 addition & 47 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.AttestationServiceStoreRequest.jsonschema.json

Lines changed: 0 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.AttestationServiceStoreRequest.schema.json

Lines changed: 0 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/internal/service/attestation.go

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -245,11 +245,7 @@ func (s *AttestationService) Store(ctx context.Context, req *cpAPI.AttestationSe
245245

246246
bundle := req.GetAttestationBundle()
247247
if bundle == nil {
248-
bundle = req.GetBundle()
249-
}
250-
251-
if req.GetAttestation() == nil && bundle == nil {
252-
return nil, errors.BadRequest("input required", "DSSE envelope or attestation bundle is required")
248+
return nil, errors.BadRequest("input required", "attestation bundle is required")
253249
}
254250

255251
// This will make sure the provided workflowRunID belongs to the org encoded in the robot account
@@ -274,7 +270,7 @@ func (s *AttestationService) Store(ctx context.Context, req *cpAPI.AttestationSe
274270
return nil, errors.NotFound("not found", "workflow run has no CAS backend")
275271
}
276272

277-
digest, err := s.storeAttestation(ctx, req.GetAttestation(), bundle, robotAccount, wf, wRun, req.MarkVersionAsReleased)
273+
digest, err := s.storeAttestation(ctx, bundle, robotAccount, wf, wRun, req.MarkVersionAsReleased)
278274
if err != nil {
279275
return nil, handleUseCaseErr(err, s.log)
280276
}
@@ -284,19 +280,19 @@ func (s *AttestationService) Store(ctx context.Context, req *cpAPI.AttestationSe
284280
}, nil
285281
}
286282

287-
// Stores and process a DSSE Envelope with a Chainloop attestation
288-
func (s *AttestationService) storeAttestation(ctx context.Context, envelope []byte, bundle []byte, robotAccount *usercontext.RobotAccount, wf *biz.Workflow, wfRun *biz.WorkflowRun, markAsReleased *bool) (*v1.Hash, error) {
283+
// storeAttestation stores and processes a Sigstore attestation bundle.
284+
func (s *AttestationService) storeAttestation(ctx context.Context, bundle []byte, robotAccount *usercontext.RobotAccount, wf *biz.Workflow, wfRun *biz.WorkflowRun, markAsReleased *bool) (*v1.Hash, error) {
289285
workflowRunID := wfRun.ID.String()
290286
casBackend := wfRun.CASBackends[0]
291287

292288
// extract structured envelope for integrations
293-
dsseEnv, err := attestation.DSSEEnvelopeFromRaw(bundle, envelope)
289+
dsseEnv, err := attestation.DSSEEnvelopeFromBundleBytes(bundle)
294290
if err != nil {
295291
return nil, handleUseCaseErr(err, s.log)
296292
}
297293

298294
// Store the attestation
299-
digest, err := s.wrUseCase.SaveAttestation(ctx, workflowRunID, envelope, bundle)
295+
digest, err := s.wrUseCase.SaveAttestation(ctx, workflowRunID, bundle)
300296
if err != nil {
301297
return nil, handleUseCaseErr(err, s.log)
302298
}
@@ -315,15 +311,9 @@ func (s *AttestationService) storeAttestation(ctx context.Context, envelope []by
315311
b.MaxElapsedTime = 1 * time.Minute
316312
err := backoff.Retry(
317313
func() error {
318-
rawContent := bundle
319-
if rawContent == nil {
320-
rawContent = envelope
321-
}
322-
323314
// reset context
324315
ctx := context.Background()
325-
var err error
326-
if err = s.attestationUseCase.UploadAttestationToCAS(ctx, rawContent, casBackend, workflowRunID, *digest); err != nil {
316+
if err := s.attestationUseCase.UploadAttestationToCAS(ctx, bundle, casBackend, workflowRunID, *digest); err != nil {
327317
return err
328318
}
329319

0 commit comments

Comments
 (0)