Skip to content

Commit 8b9b7e7

Browse files
committed
fix(cli): enrich contract materials before control-plane init
Move policy-group material enrichment back ahead of the control-plane Init call so a policy-group load failure fails fast, before a workflow run is created, avoiding orphaned/partially initialized attestations. Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev> Chainloop-Trace-Sessions: db6acef0-3453-4c3f-ae8d-803dd2a677e7
1 parent a76ce6b commit 8b9b7e7

1 file changed

Lines changed: 22 additions & 20 deletions

File tree

app/cli/pkg/action/attestation_init.go

Lines changed: 22 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,28 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
188188
return "", ErrRunnerContextNotFound{err.Error()}
189189
}
190190

191+
// Parse the raw contract to get V2 schema if available
192+
var schemaV2 *v1.CraftingSchemaV2
193+
if contractVersion.GetRawContract() != nil {
194+
schemaV2 = parseContractV2(contractVersion.GetRawContract())
195+
}
196+
197+
// Enrich the contract with the materials declared by its attached policy
198+
// groups, so they show up during attestation. See issue #3222.
199+
// Only the schema that the crafter will actually store needs enriching: it
200+
// prefers the V2 schema when present and falls back to V1 otherwise.
201+
// Done before the control-plane Init below so a policy-group load failure
202+
// fails fast, before a workflow run is created.
203+
if schemaV2 != nil {
204+
err = enrichContractMaterialsV2(ctx, schemaV2, client, &action.Logger)
205+
} else {
206+
//nolint:staticcheck // TODO: Migrate to new contract version API
207+
err = enrichContractMaterials(ctx, contractVersion.GetV1(), client, &action.Logger)
208+
}
209+
if err != nil {
210+
return "", fmt.Errorf("failed to apply materials from policy groups: %w", err)
211+
}
212+
191213
var (
192214
// Identifier of this attestation instance
193215
attestationID string
@@ -268,26 +290,6 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
268290
}
269291
}
270292

271-
// Parse the raw contract to get V2 schema if available
272-
var schemaV2 *v1.CraftingSchemaV2
273-
if contractVersion.GetRawContract() != nil {
274-
schemaV2 = parseContractV2(contractVersion.GetRawContract())
275-
}
276-
277-
// Enrich the contract with the materials declared by its attached policy
278-
// groups, so they show up during attestation. See issue #3222.
279-
// Only the schema that the crafter will actually store needs enriching: it
280-
// prefers the V2 schema when present and falls back to V1 otherwise.
281-
if schemaV2 != nil {
282-
err = enrichContractMaterialsV2(ctx, schemaV2, client, &action.Logger)
283-
} else {
284-
//nolint:staticcheck // TODO: Migrate to new contract version API
285-
err = enrichContractMaterials(ctx, contractVersion.GetV1(), client, &action.Logger)
286-
}
287-
if err != nil {
288-
return "", fmt.Errorf("failed to apply materials from policy groups: %w", err)
289-
}
290-
291293
// Initialize the local attestation crafter
292294
// NOTE: important to run this initialization here since workflowMeta is populated
293295
// with the workflowRunId that comes from the control plane

0 commit comments

Comments
 (0)