Skip to content

feat(attestation): add warning when outdated contract is used #2146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 30, 2025
Merged

feat(attestation): add warning when outdated contract is used #2146

merged 4 commits into from
Jun 30, 2025

Conversation

Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Jun 27, 2025

Adds warning when outdated contract revisions are used during attestation:

WRN Newer contract revision available - latest revision: 3

Closes #1910

@Piskoo
feat(attestation): add warning when outdated contract is used
6c5dba6 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
migmartri
migmartri reviewed Jun 27, 2025
View reviewed changes
app/cli/internal/action/attestation_init.go Outdated
}

// Shows warning if newer contract revision exists
func (action *AttestationInit) WarnIfOutdatedContract(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it might be easier if we extend the init API response to include the latest version if it doesn't do it already

migmartri
migmartri requested changes Jun 29, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, in fact I think I am wrong, there is an easier way that does not neither update the API endpoint nor doing an additional request.

The workflow response here should contain the number of the latest revision of the contract available for that workflow

chainloop/app/cli/internal/action/attestation_init.go

Line 125 in 729d68d

workflowsResp, err := client.FindOrCreateWorkflow(ctx, &pb.FindOrCreateWorkflowRequest{

and in that action, you also have the "desired" contract revision provided by the user (note that if you do not provide it, you'll get the default value 0 which means latest, so it's optional)

chainloop/app/cli/cmd/attestation_init.go

Line 90 in 729d68d

ContractRevision: contractRevision,

So basically the code shoudl just check if the value is provided and smaller that the latest one that comes from the workflow API

What do you think?

@Piskoo
refactor: get latest revision from workflow
1ab6366 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo
Copy link
Collaborator Author

Piskoo commented Jun 30, 2025

Ok, in fact I think I am wrong, there is an easier way that does not neither update the API endpoint nor doing an additional request.

The workflow response here should contain the number of the latest revision of the contract available for that workflow

chainloop/app/cli/internal/action/attestation_init.go

Line 125 in 729d68d

workflowsResp, err := client.FindOrCreateWorkflow(ctx, &pb.FindOrCreateWorkflowRequest{

and in that action, you also have the "desired" contract revision provided by the user (note that if you do not provide it, you'll get the default value 0 which means latest, so it's optional)

chainloop/app/cli/cmd/attestation_init.go

Line 90 in 729d68d

ContractRevision: contractRevision,

So basically the code shoudl just check if the value is provided and smaller that the latest one that comes from the workflow API

What do you think?

You are right, I've updated the code.

migmartri
migmartri reviewed Jun 30, 2025
View reviewed changes
app/cli/internal/action/attestation_init.go Outdated

// Shows warning if newer contract revision exists
func (action *AttestationInit) warnIfOutdatedContract(latestRevision, providedRevision int32) error {
if action.dryRun || action.useRemoteState || providedRevision == 0 {
Copy link
Member

@migmartri migmartri Jun 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why if remote state is set we should ignore it?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We actually shouldn't ignore it, since it does not really matter whether the attestation is stored or where it is stored.

migmartri
migmartri reviewed Jun 30, 2025
View reviewed changes
app/cli/internal/action/attestation_init.go Outdated
}
workflow := workflowsResp.GetResult()

if err := action.warnIfOutdatedContract(workflow.ContractRevisionLatest, int32(opts.ContractRevision)); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it feels like this method adds an unnecessary level of indirection. For example it can never return an error.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved remaining logic to Run function.

@Piskoo
refactor: simplify contract revision warning
e065f52 
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
migmartri
migmartri approved these changes Jun 30, 2025
View reviewed changes
@Piskoo @migmartri
update warning content
78c5f73 
Co-authored-by: Miguel Martinez Trivino <migmartri@gmail.com>
Signed-off-by: Sylwester Piskozub <sylwesterpiskozub@gmail.com>
@Piskoo Piskoo merged commit e461bc7 into chainloop-dev:main Jun 30, 2025
12 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Jun 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

show a warning ot the user when they are pinned to an old version of the contract

2 participants

@Piskoo @migmartri