Skip to content

Commit 704ef21

Browse files
committed
feat(controlplane): filter referrer discovery by project name and version
Add optional project_name and project_version filters to the private referrer discovery endpoint (DiscoverPrivate). When both are provided, the discovered referrer and its references are confined to the matching project version, resolved by entering from the project version's workflow runs so the lookup stays bounded regardless of how widely a material is shared. Mark the deprecated public shared discovery endpoint as deprecated in the proto. Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev> Chainloop-Trace-Sessions: 593298f0-05bd-408b-9767-5472afe1caec
1 parent 3739bcd commit 704ef21

15 files changed

Lines changed: 460 additions & 29 deletions

app/cli/pkg/action/referrer_discover.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,9 @@ func NewReferrerDiscoverPublicIndex(cfg *ActionsOpts) *ReferrerDiscoverPublic {
6767
return &ReferrerDiscoverPublic{cfg}
6868
}
6969

70+
// Run calls the deprecated public shared index RPC, kept for backwards compatibility.
71+
//
72+
//nolint:staticcheck // the RPC is deprecated but still supported
7073
func (action *ReferrerDiscoverPublic) Run(ctx context.Context, digest, kind string, p *PaginationOpts) (*ReferrerDiscoverResult, error) {
7174
client := pb.NewReferrerServiceClient(action.cfg.CPConnection)
7275
resp, err := client.DiscoverPublicShared(ctx, &pb.DiscoverPublicSharedRequest{

app/controlplane/api/controlplane/v1/referrer.pb.go

Lines changed: 38 additions & 11 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/controlplane/v1/referrer.proto

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,9 @@ service ReferrerService {
3636
};
3737
}
3838
// DiscoverPublicShared returns the referrer item for a given digest in the public shared index
39+
// Deprecated: the public shared index is being retired.
3940
rpc DiscoverPublicShared(DiscoverPublicSharedRequest) returns (DiscoverPublicSharedResponse) {
41+
option deprecated = true;
4042
option (google.api.http) = {get: "/discover/shared/{digest}"};
4143
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
4244
summary: "Discover public shared referrer"
@@ -60,6 +62,21 @@ message ReferrerServiceDiscoverPrivateRequest {
6062
string kind = 2;
6163
// Pagination options for the references list
6264
CursorPaginationRequest pagination = 3;
65+
// ProjectName optionally scopes the discovery to a project by name.
66+
// Must be set together with project_version.
67+
string project_name = 4;
68+
// ProjectVersion optionally scopes the discovery to a project version (by name, e.g. v1.2.0).
69+
// The referrer and its references are confined to this project version.
70+
// Must be set together with project_name.
71+
string project_version = 5;
72+
73+
// project_name and project_version must be provided together: a version name is unique only
74+
// within a project, and a project name on its own would not scope the discovery.
75+
option (buf.validate.message).cel = {
76+
id: "discover_project_version_dependency"
77+
expression: "(this.project_name == '') == (this.project_version == '')"
78+
message: "project_name and project_version must be set together"
79+
};
6380

6481
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
6582
json_schema: {
@@ -70,7 +87,10 @@ message ReferrerServiceDiscoverPrivateRequest {
7087
}
7188

7289
// DiscoverPublicSharedRequest is the request for the DiscoverPublicShared method
90+
// Deprecated: the public shared index is being retired.
7391
message DiscoverPublicSharedRequest {
92+
option deprecated = true;
93+
7494
// Digest is the unique identifier of the referrer to discover
7595
string digest = 1 [(buf.validate.field).string = {min_len: 1}];
7696
// Kind is the optional type of referrer, i.e CONTAINER_IMAGE, GIT_HEAD, ...

app/controlplane/api/controlplane/v1/referrer_grpc.pb.go

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/controlplane/v1/referrer_http.pb.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/frontend/controlplane/v1/referrer.ts

Lines changed: 50 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.jsonschema.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.DiscoverPublicSharedRequest.schema.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerServiceDiscoverPrivateRequest.jsonschema.json

Lines changed: 18 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/gen/jsonschema/controlplane.v1.ReferrerServiceDiscoverPrivateRequest.schema.json

Lines changed: 18 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)