Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions app/cli/cmd/organization_update.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ func newOrganizationUpdateCmd() *cobra.Command {
apiTokenMaxDaysInactive string
enableAIAgentCollector bool
blockAttestationsOnReleasedVersions bool
skipRunnerEnvVars bool
)

cmd := &cobra.Command{
Expand Down Expand Up @@ -64,6 +65,10 @@ func newOrganizationUpdateCmd() *cobra.Command {
opts.BlockAttestationsOnReleasedVersions = &blockAttestationsOnReleasedVersions
}

if cmd.Flags().Changed("skip-runner-env-vars") {
opts.SkipRunnerEnvVars = &skipRunnerEnvVars
}

if cmd.Flags().Changed("api-token-max-days-inactive") {
days, err := strconv.Atoi(apiTokenMaxDaysInactive)
if err != nil {
Expand Down Expand Up @@ -96,5 +101,6 @@ func newOrganizationUpdateCmd() *cobra.Command {
cmd.Flags().StringVar(&apiTokenMaxDaysInactive, "api-token-max-days-inactive", "", "maximum days of inactivity before API tokens are auto-revoked (e.g. '90', '0' to disable)")
cmd.Flags().BoolVar(&enableAIAgentCollector, "enable-ai-agent-collector", false, "enable automatic AI agent config collection during attestation init")
cmd.Flags().BoolVar(&blockAttestationsOnReleasedVersions, "block-attestations-on-released-versions", false, "reject new attestations pushed to project versions that are already released")
cmd.Flags().BoolVar(&skipRunnerEnvVars, "skip-runner-env-vars", false, "opt out of storing the environment variables automatically discovered by the CI runner in the attestation")
return cmd
}
1 change: 1 addition & 0 deletions app/cli/documentation/cli-reference.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2917,6 +2917,7 @@ Options
--policies-allowed-hostnames strings set the allowed hostnames for the policy engine
--prevent-implicit-workflow-creation prevent workflows and projects from being created implicitly during attestation init
--restrict-contract-creation restrict contract creation (org-level and project-level) to only organization admins (owner/admin roles)
--skip-runner-env-vars opt out of storing the environment variables automatically discovered by the CI runner in the attestation
```

Options inherited from parent commands
Expand Down
3 changes: 3 additions & 0 deletions app/cli/pkg/action/attestation_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
blockOnPolicyViolation bool
policiesAllowedHostnames []string
enableAIAgentCollector bool
skipRunnerEnvVars bool
// Timestamp Authority URL for new attestations
timestampAuthorityURL, signingCAName string
uiDashboardURL string
Expand Down Expand Up @@ -233,6 +234,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
blockOnPolicyViolation = result.GetBlockOnPolicyViolation()
policiesAllowedHostnames = result.GetPoliciesAllowedHostnames()
enableAIAgentCollector = result.GetEnableAiAgentCollector()
skipRunnerEnvVars = result.GetSkipRunnerEnvVars()
signingOpts := result.GetSigningOptions()
timestampAuthorityURL = signingOpts.GetTimestampAuthorityUrl()
signingCAName = signingOpts.GetSigningCa()
Expand Down Expand Up @@ -291,6 +293,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
Runner: discoveredRunner,
BlockOnPolicyViolation: blockOnPolicyViolation,
PoliciesAllowedHostnames: policiesAllowedHostnames,
SkipRunnerEnvVars: skipRunnerEnvVars,
SigningOptions: &crafter.SigningOpts{
TimestampAuthorityURL: timestampAuthorityURL,
SigningCAName: signingCAName,
Expand Down
2 changes: 2 additions & 0 deletions app/cli/pkg/action/membership_list.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type OrgItem struct {
APITokenMaxDaysInactive *string `json:"apiTokenMaxDaysInactive,omitempty"`
EnableAIAgentCollector bool `json:"enableAiAgentCollector"`
BlockAttestationsOnReleasedVersions bool `json:"blockAttestationsOnReleasedVersions"`
SkipRunnerEnvVars bool `json:"skipRunnerEnvVars"`
}

type MembershipItem struct {
Expand Down Expand Up @@ -142,6 +143,7 @@ func pbOrgItemToAction(in *pb.OrgItem) *OrgItem {
PreventImplicitWorkflowCreation: in.PreventImplicitWorkflowCreation,
EnableAIAgentCollector: in.EnableAiAgentCollector,
BlockAttestationsOnReleasedVersions: in.BlockAttestationsOnReleasedVersions,
SkipRunnerEnvVars: in.SkipRunnerEnvVars,
}

if in.DefaultPolicyViolationStrategy == pb.OrgItem_POLICY_VIOLATION_BLOCKING_STRATEGY_BLOCK {
Expand Down
3 changes: 3 additions & 0 deletions app/cli/pkg/action/org_update.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ type NewOrgUpdateOpts struct {
EnableAIAgentCollector *bool
// BlockAttestationsOnReleasedVersions rejects new attestations pushed to project versions that are already released
BlockAttestationsOnReleasedVersions *bool
// SkipRunnerEnvVars opts out of storing the environment variables automatically discovered by the CI runner in the attestation
SkipRunnerEnvVars *bool
}

func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdateOpts) (*OrgItem, error) {
Expand All @@ -54,6 +56,7 @@ func (action *OrgUpdate) Run(ctx context.Context, name string, opts *NewOrgUpdat
RestrictContractCreationToOrgAdmins: opts.RestrictContractCreation,
EnableAiAgentCollector: opts.EnableAIAgentCollector,
BlockAttestationsOnReleasedVersions: opts.BlockAttestationsOnReleasedVersions,
SkipRunnerEnvVars: opts.SkipRunnerEnvVars,
}

if opts.PoliciesAllowedHostnames != nil {
Expand Down
22 changes: 17 additions & 5 deletions app/controlplane/api/controlplane/v1/organization.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions app/controlplane/api/controlplane/v1/organization.proto
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,9 @@ message OrganizationServiceUpdateRequest {

// Reject new attestations pushed to project versions that are already released (prerelease == false)
optional bool block_attestations_on_released_versions = 9;

// Opt out of storing the environment variables automatically discovered by the CI runner in the attestation
optional bool skip_runner_env_vars = 10;
}

message OrganizationServiceUpdateResponse {
Expand Down
18 changes: 14 additions & 4 deletions app/controlplane/api/controlplane/v1/response_messages.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions app/controlplane/api/controlplane/v1/response_messages.proto
Original file line number Diff line number Diff line change
Expand Up @@ -393,6 +393,8 @@ message OrgItem {
bool enable_ai_agent_collector = 10;
// Whether new attestations are rejected on project versions that are already released (prerelease == false)
bool block_attestations_on_released_versions = 11;
// Whether the environment variables automatically discovered by the CI runner are skipped from the attestation
bool skip_runner_env_vars = 12;

enum PolicyViolationBlockingStrategy {
POLICY_VIOLATION_BLOCKING_STRATEGY_UNSPECIFIED = 0;
Expand Down
20 changes: 15 additions & 5 deletions app/controlplane/api/controlplane/v1/workflow_run.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions app/controlplane/api/controlplane/v1/workflow_run.proto
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ message AttestationServiceInitResponse {
string ui_dashboard_url = 7;
// Whether AI agent config collection is enabled at the org level
bool enable_ai_agent_collector = 8;
// Whether to skip storing the environment variables automatically discovered by the CI runner in the attestation
bool skip_runner_env_vars = 9;
}

message SigningOptions {
Expand Down
19 changes: 19 additions & 0 deletions app/controlplane/api/gen/frontend/attestation/v1/crafting_state.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading