Skip to content

feat: org setting to skip storing runner-discovered env vars in attestations#3177

Merged
jiparis merged 1 commit into
chainloop-dev:mainfrom
migmartri:feat/skip-runner-env-vars
Jun 9, 2026
Merged

feat: org setting to skip storing runner-discovered env vars in attestations#3177
jiparis merged 1 commit into
chainloop-dev:mainfrom
migmartri:feat/skip-runner-env-vars

Conversation

@migmartri

Copy link
Copy Markdown
Member

Summary

Adds an organization-level setting, skip_runner_env_vars, that lets an organization opt out of storing the environment variables automatically discovered by the CI runner (GitHub Actions, GitLab, etc.) in the attestation.

Runners discover two kinds of environment variables: a subset used to detect that the build is running inside a given runner, and the rest injected automatically as build metadata. When this setting is enabled, the auto-discovered metadata variables are no longer collected into the attestation. The contract's env_allow_list (explicit, user-defined opt-in) is still honored, and runner detection and the structured runner environment metadata are unaffected.

The setting defaults to false, preserving current behavior. It is configurable via chainloop organization update --skip-runner-env-vars and is propagated to the crafter at attestation init time.

Closes #3176


This contribution was developed with the assistance of Claude Code.

🤖 Posted by Maximus bot (Claude Code) on behalf of @migmartri

@migmartri migmartri self-assigned this Jun 9, 2026
@chainloop-platform

chainloop-platform Bot commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟡 83% 1 ✅ 0 94% AI / 6% Human 21 +113 / -13 1h53m25s

🟡 83% — 94% AI — ✅ All policies passing

Jun 9, 2026 09:24 UTC · 1h53m25s · $57.22 · 148.1k in / 282.0k out · claude-code 2.1.169 (claude-opus-4-8)

View session details ↗

Change Summary

  • Adds the org-level skip_runner_env_vars setting across schema, biz/data, service, CLI, and crafter state.
  • Updates ResolveEnvVars to keep runner detection but skip storing auto-discovered metadata when enabled.
  • Adds targeted crafter and org-update tests, resolves rebase and CI fallout, and applies a small simplify cleanup.

AI Session Overall Score

🟡 83% — Strong delivery, but planning and verification stayed partial for a wide change.

AI Session Analysis Breakdown

🟢 90% · alignment

🟢 AI published a clear design summary before editing and largely followed it. · High Impact

🟢 90% · user-trust-signal

No notes.

🟢 88% · solution-quality

🟢 AI fixed the go.sum regression by restoring canonical state instead of bypassing CI. · High Impact

🟢 82% · scope-discipline

No notes.

🟡 74% · verification

🟢 AI ran failing then passing crafter tests around the core behavior change. · High Impact

🟠 Tests ran, but the engaged user never explicitly confirmed the feature worked after the key fixes. · Medium Severity

💡 When the user is still present, ask for a quick confirmation after the key tests pass.

🟡 72% · context-and-planning

🟠 A cross-layer feature began from a terse follow-up without a visible durable plan. · Medium Severity

💡 For wide changes, capture a short visible plan before editing across layers.


File Attribution

██████████████████░░ 94% AI / 6% Human

Status Attribution File Lines
modified ai pkg/attestation/crafter/crafter.go +25 / -12
modified ai pkg/attestation/crafter/crafter_test.go +32 / -0
modified ai app/controlplane/pkg/biz/organization_integration_test.go +14 / -0
modified ai app/cli/cmd/organization_update.go +6 / -0
modified ai pkg/attestation/crafter/api/attestation/v1/crafting_state.proto +4 / -0
modified ai app/cli/pkg/action/attestation_init.go +3 / -0
modified ai app/cli/pkg/action/org_update.go +3 / -0
modified ai app/controlplane/api/controlplane/v1/organization.proto +3 / -0
modified ai app/controlplane/pkg/biz/organization.go +3 / -0
modified human app/controlplane/pkg/data/ent/migrate/migrations/atlas.sum +2 / -1
modified ai app/controlplane/pkg/data/ent/schema/organization.go +3 / -0
modified ai app/cli/pkg/action/membership_list.go +2 / -0
modified ai app/controlplane/api/controlplane/v1/response_messages.proto +2 / -0
modified ai app/controlplane/api/controlplane/v1/workflow_run.proto +2 / -0
created human app/controlplane/pkg/data/ent/migrate/migrations/20260609111546.sql +2 / -0
modified ai app/controlplane/pkg/data/organization.go +2 / -0
modified human app/cli/documentation/cli-reference.mdx +1 / -0
modified ai app/controlplane/internal/service/attestation.go +1 / -0
modified ai app/controlplane/internal/service/context.go +1 / -0
modified ai app/controlplane/internal/service/organization.go +1 / -0
modified human app/controlplane/pkg/data/ent/migrate/schema.go +1 / -0

Policies (8)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-9b4d83 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-9b4d83 -
✅ Passed ai-config-no-secrets ai-coding-session-9b4d83 -
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-9b4d83 -
✅ Passed ai-config-ai-agents-allowed ai-coding-session-9b4d83 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-9b4d83 -
✅ Passed ai-config-no-secrets ai-coding-session-9b4d83 -
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-9b4d83 -

Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 44 files

Re-trigger cubic

@migmartri migmartri force-pushed the feat/skip-runner-env-vars branch 2 times, most recently from 9d0b387 to d4b0822 Compare June 9, 2026 11:00
…tations

Add an organization-level skip_runner_env_vars setting that opts out of
storing the environment variables automatically discovered by the CI runner
in the attestation. The contract's env_allow_list is still honored, and
runner detection and runner environment metadata are unaffected.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Chainloop-Trace-Sessions: 9b4d83fb-68fa-40f1-b9da-4e67c2b6c6ce
@migmartri migmartri force-pushed the feat/skip-runner-env-vars branch from d4b0822 to b76f30d Compare June 9, 2026 11:18
@jiparis jiparis merged commit c6ae8cd into chainloop-dev:main Jun 9, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add org setting to opt out of storing runner-discovered environment variables in attestations

2 participants