feat: push incomplete attestation on gate failure#2624
Conversation
|
Thanks @Piskoo. I'd like us to evaluate the consequences of pushing a partial attestation. In particular:
|
Should we do the same with required annotations?
They won't be present as they weren't evaluated
Makes sense, thanks |
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
|
Updated, we now fail when
|
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
|
I'm gonna close this one for now, we can discuss it |
Extends gated policy support in
attestation addto push incomplete attestations when a gate fails. By default attestation is pushed but the user can pass--skipPushOnGateFailureflag to avoid that, attestation will still fail even if the flag is passed.Example contract:
Example policy:
Attestation process:
Workflow run:

Attestation:
{ "_type": "https://in-toto.io/Statement/v1", "subject": [ { "name": "chainloop.workflow.multipolicy", "digest": { "sha256": "e21f493f5f544747bcb234efee3036f094347c83129d18110c08f5103aafdb66" } }, { "name": "git.head", "digest": { "sha1": "0a582a0f9e8c90596a41a0b5274b62886518c5ff" }, "annotations": { "author.email": "sylwesterpiskozub@gmail.com", "author.name": "Sylwester Piskozub", "date": "2025-12-17T14:30:37Z", "message": "log msg fix\n\nSigned-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>\n", "remotes": [ { "name": "origin", "url": "https://github.com/Piskoo/chainloop.git" }, { "name": "upstream", "url": "https://github.com/chainloop-dev/chainloop.git" }, { "name": "javirln", "url": "git@github.com:javirln/chainloop.git" } ], "signature": "-----BEGIN PGP SIGNATURE-----\n\niQGzBAABCgAdFiEE80ZHNM+xgBJZNs2RI98bOQEY/BgFAmlCvo0ACgkQI98bOQEY\n/BhBTQv+IM/MIY9rtEOAL4dMrNox9bxCHycbu5hq0mYBhnvJrIXo0D7XeCGiwHqA\n8riXOJUQnYAROCp99Z+O4LkvmbvMWknDybTWmHWPt53FFp3Sl12gQkXgKlLuJYoP\nPmGtlJU5oYbDlY1zW378IpB/8rqWSdbOu7tcT6VVDFPBrpuJ6igwELo5WoTesfGS\nSjIB1XhpoHU7jvIaMFNWlhVvaWaxAh1z74sBjT2bMubewY2QovP+EmPlRQe+gO6x\noO478Uwq+GWwnrD8RA2HXuvVf74MkFIrHpsolpuClX8SbfPfD+efAFRmeYO+LN1h\n51b7UE/TMAcZKw/U9IhyckonzaNhKlnD8cpd0LvuGyMp4Lm65jWBULzKNriWS9Pk\nDZsIS/y7dprKDfZWEk/QNbuWK6UOmPfNJTiZ7mBQPpneymcfzmPwMVrifTxjM5mL\nyVbZhNAZKEHZ47dzd9oHCKKm9iv1ewgH93VJpGfygv3olixdSGOeoEn6rEKuNy1A\nBdIrvZTZ\n=NMKR\n-----END PGP SIGNATURE-----\n" } } ], "predicateType": "chainloop.dev/attestation/v0.2", "predicate": { "annotations": { "environment": "" }, "auth": { "id": "34030166-826c-4c72-a635-353230fedb47", "type": "AUTH_TYPE_USER" }, "buildType": "chainloop.dev/workflowrun/v0.1", "builder": { "id": "chainloop.dev/cli/@" }, "materials": [ { "annotations": { "chainloop.material.cas": true, "chainloop.material.name": "skynet-sbom", "chainloop.material.sbom.main_component.name": "my application", "chainloop.material.sbom.main_component.type": "application", "chainloop.material.sbom.main_component.version": "1.0", "chainloop.material.type": "SBOM_CYCLONEDX_JSON" }, "digest": { "sha256": "bfbb8312c63447567e65f128ac05ddaebf562d072532b37fb412f47bfc32a421" }, "name": "sbom.json" } ], "metadata": { "contractName": "myproject-multipolicy", "contractVersion": "2", "finishedAt": "2025-12-17T14:38:27.537415106Z", "initializedAt": "2025-12-17T14:38:23.267223921Z", "name": "multipolicy", "organization": "myorg", "project": "myproject", "projectVersion": "v1.63.0+next", "projectVersionPrerelease": true, "team": "", "workflowID": "58356fd5-de48-40e5-902a-b49277cff1b2", "workflowName": "multipolicy", "workflowRunID": "b1bfaa19-50bb-4c0e-b721-c117da5d4915" }, "policyAttBlocked": false, "policyBlockBypassEnabled": true, "policyCheckBlockingStrategy": "ADVISORY", "policyEvaluations": { "skynet-sbom": [ { "materialName": "skynet-sbom", "name": "policy-gate", "policyReference": { "annotations": { "name": "policy-gate", "organization": "myorg" }, "digest": { "sha256": "1782d1682c379ae2de2080f3f165d90804127c683b3460dd358d8632c3d4c6fe" }, "name": "policy-gate", "uri": "chainloop://localhost:8002/policy-gate?org=myorg" }, "skipped": false, "type": "SBOM_CYCLONEDX_JSON", "violations": [ { "message": "Gated policy violation", "subject": "policy-gate" } ] } ] }, "policyHasViolations": true, "runnerEnvironment": "unknown", "runnerType": "RUNNER_TYPE_UNSPECIFIED", "signingCA": "fileCA" } }Attestation contains only partial evaluations, policy
policy-gate2for kindEVIDENCEwasn't evaluated as attestation failed before materialevidencetestwas provided.Attestation validation and annotation validation is disabled for incomplete attestation push.