fix(controlplane): exempt batch-local policy refs in contract apply#3230
Merged
javirln merged 2 commits intoJun 22, 2026
Merged
Conversation
Contract apply resolved every policy and policy-group reference against the persisted registry, so a dry-run apply failed when a contract referenced a policy or policy group created in the same batch that was not yet persisted. Add batch_policy_names and batch_policy_group_names to the apply request and treat references to those names as known instead of resolving them, while still validating remote references in both dry-run and real applies. Assisted-by: Claude Code Signed-off-by: Javier Rodriguez <javier@chainloop.dev> Chainloop-Trace-Sessions: f56037fd-1000-4118-9de7-d532c82f30a2
Contributor
AI Session AnalysisMissing AI Coding SessionsWe detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop. Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the Learn more about Chainloop Trace. Powered by Chainloop and Chainloop Trace |
There was a problem hiding this comment.
3 issues found across 9 files
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
Address review feedback on contract apply batch exemption: - Only honor the client-supplied batch name lists on a dry-run. A real apply persists batch resources before the contract, so it must always validate fully and never trust the client lists to skip validation. - Only exempt bare references (no provider/org). References that explicitly target a remote provider or org are always validated, so a bare-name collision with a batch-local resource can no longer bypass validation. Assisted-by: Claude Code Signed-off-by: Javier Rodriguez <javier@chainloop.dev> Chainloop-Trace-Sessions: f56037fd-1000-4118-9de7-d532c82f30a2
jiparis
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Contract apply resolved every policy and policy-group reference against the persisted registry. As a result, a dry-run apply failed when a contract referenced a policy or policy group that was created in the same batch and therefore not yet persisted.
This adds
batch_policy_namesandbatch_policy_group_namesto theWorkflowContractService.Applyrequest. References whose name is in those sets are treated as known instead of being resolved against the registry, while remote references continue to be validated in both dry-run and real applies.Assisted-by: Claude Code