Skip to content

Commit c6ae8cd

Browse files
authored
feat: org setting to skip storing runner-discovered env vars in attestations (#3177)
1 parent f708b6c commit c6ae8cd

44 files changed

Lines changed: 506 additions & 37 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

app/cli/cmd/organization_update.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ func newOrganizationUpdateCmd() *cobra.Command {
3333
apiTokenMaxDaysInactive string
3434
enableAIAgentCollector bool
3535
blockAttestationsOnReleasedVersions bool
36+
skipRunnerEnvVars bool
3637
)
3738

3839
cmd := &cobra.Command{
@@ -64,6 +65,10 @@ func newOrganizationUpdateCmd() *cobra.Command {
6465
opts.BlockAttestationsOnReleasedVersions = &blockAttestationsOnReleasedVersions
6566
}
6667

68+
if cmd.Flags().Changed("skip-runner-env-vars") {
69+
opts.SkipRunnerEnvVars = &skipRunnerEnvVars
70+
}
71+
6772
if cmd.Flags().Changed("api-token-max-days-inactive") {
6873
days, err := strconv.Atoi(apiTokenMaxDaysInactive)
6974
if err != nil {
@@ -96,5 +101,6 @@ func newOrganizationUpdateCmd() *cobra.Command {
96101
cmd.Flags().StringVar(&apiTokenMaxDaysInactive, "api-token-max-days-inactive", "", "maximum days of inactivity before API tokens are auto-revoked (e.g. '90', '0' to disable)")
97102
cmd.Flags().BoolVar(&enableAIAgentCollector, "enable-ai-agent-collector", false, "enable automatic AI agent config collection during attestation init")
98103
cmd.Flags().BoolVar(&blockAttestationsOnReleasedVersions, "block-attestations-on-released-versions", false, "reject new attestations pushed to project versions that are already released")
104+
cmd.Flags().BoolVar(&skipRunnerEnvVars, "skip-runner-env-vars", false, "opt out of storing the environment variables automatically discovered by the CI runner in the attestation")
99105
return cmd
100106
}

app/cli/documentation/cli-reference.mdx

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2917,6 +2917,7 @@ Options
29172917
--policies-allowed-hostnames strings set the allowed hostnames for the policy engine
29182918
--prevent-implicit-workflow-creation prevent workflows and projects from being created implicitly during attestation init
29192919
--restrict-contract-creation restrict contract creation (org-level and project-level) to only organization admins (owner/admin roles)
2920+
--skip-runner-env-vars opt out of storing the environment variables automatically discovered by the CI runner in the attestation
29202921
```
29212922

29222923
Options inherited from parent commands

app/cli/pkg/action/attestation_init.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
200200
blockOnPolicyViolation bool
201201
policiesAllowedHostnames []string
202202
enableAIAgentCollector bool
203+
skipRunnerEnvVars bool
203204
// Timestamp Authority URL for new attestations
204205
timestampAuthorityURL, signingCAName string
205206
uiDashboardURL string
@@ -233,6 +234,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
233234
blockOnPolicyViolation = result.GetBlockOnPolicyViolation()
234235
policiesAllowedHostnames = result.GetPoliciesAllowedHostnames()
235236
enableAIAgentCollector = result.GetEnableAiAgentCollector()
237+
skipRunnerEnvVars = result.GetSkipRunnerEnvVars()
236238
signingOpts := result.GetSigningOptions()
237239
timestampAuthorityURL = signingOpts.GetTimestampAuthorityUrl()
238240
signingCAName = signingOpts.GetSigningCa()
@@ -291,6 +293,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
291293
Runner: discoveredRunner,
292294
BlockOnPolicyViolation: blockOnPolicyViolation,
293295
PoliciesAllowedHostnames: policiesAllowedHostnames,
296+
SkipRunnerEnvVars: skipRunnerEnvVars,
294297
SigningOptions: &crafter.SigningOpts{
295298
TimestampAuthorityURL: timestampAuthorityURL,
296299
SigningCAName: signingCAName,

app/cli/pkg/action/membership_list.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ type OrgItem struct {
3838
APITokenMaxDaysInactive *string `json:"apiTokenMaxDaysInactive,omitempty"`
3939
EnableAIAgentCollector bool `json:"enableAiAgentCollector"`
4040
BlockAttestationsOnReleasedVersions bool `json:"blockAttestationsOnReleasedVersions"`
41+
SkipRunnerEnvVars bool `json:"skipRunnerEnvVars"`
4142
}
4243

4344
type MembershipItem struct {
@@ -142,6 +143,7 @@ func pbOrgItemToAction(in *pb.OrgItem) *OrgItem {
142143
PreventImplicitWorkflowCreation: in.PreventImplicitWorkflowCreation,
143144
EnableAIAgentCollector: in.EnableAiAgentCollector,
144145
BlockAttestationsOnReleasedVersions: in.BlockAttestationsOnReleasedVersions,
146+
SkipRunnerEnvVars: in.SkipRunnerEnvVars,
145147
}
146148

147149
if in.DefaultPolicyViolationStrategy == pb.OrgItem_POLICY_VIOLATION_BLOCKING_STRATEGY_BLOCK {

app/cli/pkg/action/org_update.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,8 @@ type NewOrgUpdateOpts struct {
4242
EnableAIAgentCollector *bool
4343
// BlockAttestationsOnReleasedVersions rejects new attestations pushed to project versions that are already released
4444
BlockAttestationsOnReleasedVersions *bool
45+
// SkipRunnerEnvVars opts out of storing the environment variables automatically discovered by the CI runner in the attestation
46+
SkipRunnerEnvVars *bool
4547
}
4648

4749
func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdateOpts) (*OrgItem, error) {
@@ -54,6 +56,7 @@ func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdat
5456
RestrictContractCreationToOrgAdmins: opts.RestrictContractCreation,
5557
EnableAiAgentCollector: opts.EnableAIAgentCollector,
5658
BlockAttestationsOnReleasedVersions: opts.BlockAttestationsOnReleasedVersions,
59+
SkipRunnerEnvVars: opts.SkipRunnerEnvVars,
5760
}
5861

5962
if opts.PoliciesAllowedHostnames != nil {

app/controlplane/api/controlplane/v1/organization.pb.go

Lines changed: 17 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/controlplane/v1/organization.proto

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -108,6 +108,9 @@ message OrganizationServiceUpdateRequest {
108108

109109
// Reject new attestations pushed to project versions that are already released (prerelease == false)
110110
optional bool block_attestations_on_released_versions = 9;
111+
112+
// Opt out of storing the environment variables automatically discovered by the CI runner in the attestation
113+
optional bool skip_runner_env_vars = 10;
111114
}
112115

113116
message OrganizationServiceUpdateResponse {

app/controlplane/api/controlplane/v1/response_messages.pb.go

Lines changed: 14 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

app/controlplane/api/controlplane/v1/response_messages.proto

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -393,6 +393,8 @@ message OrgItem {
393393
bool enable_ai_agent_collector = 10;
394394
// Whether new attestations are rejected on project versions that are already released (prerelease == false)
395395
bool block_attestations_on_released_versions = 11;
396+
// Whether the environment variables automatically discovered by the CI runner are skipped from the attestation
397+
bool skip_runner_env_vars = 12;
396398

397399
enum PolicyViolationBlockingStrategy {
398400
POLICY_VIOLATION_BLOCKING_STRATEGY_UNSPECIFIED = 0;

app/controlplane/api/controlplane/v1/workflow_run.pb.go

Lines changed: 15 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)