Skip to content

Commit baf5122

Browse files
committed
fix(cli): show policy evaluations in push output
The status call in push was skipping policy evaluation (to avoid duplicate work), but this also skipped reading existing evaluations from the crafting state. Move GetPolicyEvaluations outside the skip block so status always reads existing evaluations, and populate the status result in push after the actual policy evaluation completes. Fixes #2761 Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
1 parent c996a47 commit baf5122

3 files changed

Lines changed: 13 additions & 7 deletions

File tree

app/cli/pkg/action/attestation_add.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
//
2-
// Copyright 2024-2025 The Chainloop Authors.
2+
// Copyright 2024-2026 The Chainloop Authors.
33
//
44
// Licensed under the Apache License, Version 2.0 (the "License");
55
// you may not use this file except in compliance with the License.
@@ -178,7 +178,7 @@ func (action *AttestationAdd) GetPolicyEvaluations(ctx context.Context, attestat
178178
return nil, err
179179
}
180180

181-
policyEvaluations, _ := getPolicyEvaluations(crafter)
181+
policyEvaluations, _ := GetPolicyEvaluations(crafter)
182182

183183
return policyEvaluations, nil
184184
}

app/cli/pkg/action/attestation_push.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,9 @@ func (action *AttestationPush) Run(ctx context.Context, attestationID string, ru
200200
return nil, fmt.Errorf("evaluating attestation policies: %w", err)
201201
}
202202

203+
// Update the status result with the evaluated policies
204+
attestationStatus.PolicyEvaluations, attestationStatus.HasPolicyViolations = GetPolicyEvaluations(crafter)
205+
203206
// render final attestation with all the evaluated policies inside
204207
envelope, bundle, err := renderer.Render(ctx)
205208
if err != nil {

app/cli/pkg/action/attestation_status.go

Lines changed: 8 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
//
2-
// Copyright 2024-2025 The Chainloop Authors.
2+
// Copyright 2024-2026 The Chainloop Authors.
33
//
44
// Licensed under the Apache License, Version 2.0 (the "License");
55
// you may not use this file except in compliance with the License.
@@ -159,10 +159,12 @@ func (action *AttestationStatus) Run(ctx context.Context, attestationID string,
159159
if err := c.EvaluateAttestationPolicies(ctx, attestationID, statement); err != nil {
160160
return nil, fmt.Errorf("evaluating attestation policies: %w", err)
161161
}
162-
163-
res.PolicyEvaluations, res.HasPolicyViolations = getPolicyEvaluations(c)
164162
}
165163

164+
// Always read existing policy evaluations from crafting state,
165+
// even when skipping re-evaluation (e.g. material-level evaluations from add)
166+
res.PolicyEvaluations, res.HasPolicyViolations = GetPolicyEvaluations(c)
167+
166168
if v := workflowMeta.GetVersion(); v != nil {
167169
res.WorkflowMeta.ProjectVersion = &ProjectVersion{
168170
Version: v.GetVersion(),
@@ -210,8 +212,9 @@ func (action *AttestationStatus) Run(ctx context.Context, attestationID string,
210212
return res, nil
211213
}
212214

213-
// getPolicyEvaluations retrieves both material-level and attestation-level policy evaluations and returns if it has violations
214-
func getPolicyEvaluations(c *crafter.Crafter) (map[string][]*PolicyEvaluation, bool) {
215+
// GetPolicyEvaluations retrieves both material-level and attestation-level policy evaluations from the crafting state
216+
// and returns whether any violations exist.
217+
func GetPolicyEvaluations(c *crafter.Crafter) (map[string][]*PolicyEvaluation, bool) {
215218
// grouped by material name
216219
evaluations := make(map[string][]*PolicyEvaluation)
217220
var hasViolations bool

0 commit comments

Comments
 (0)