Skip to content

feat(attestation): opt-in CAS-only attestation storage#3087

Merged
migmartri merged 1 commit intochainloop-dev:mainfrom
migmartri:2126-attestation-cas-only-storage
May 4, 2026
Merged

feat(attestation): opt-in CAS-only attestation storage#3087
migmartri merged 1 commit intochainloop-dev:mainfrom
migmartri:2126-attestation-cas-only-storage

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented May 4, 2026
edited
Loading

Summary

Adds a controlplane config flag attestations.skip_db_storage that opts the platform out of writing attestation bundles to the database when an external CAS backend is configured.

When the flag is on and the workflow run's CAS backend is non-inline:

  • The bundle is uploaded to CAS synchronously (60s timeout) and CAS becomes the only durable copy.
  • Only the attestation digest is recorded on the workflow run; the attestation table row is skipped.
  • Reads transparently fall back to CAS via the existing layered resolver (cache → DB → CAS).

When the flag is off (default) or the CAS backend is inline, behaviour is unchanged: the bundle is persisted to the DB and, for non-inline backends, uploaded to CAS asynchronously.

Closes #2126

AI disclosure: this contribution was assisted by Claude Code.

@migmartri migmartri requested a review from a team May 4, 2026 16:18
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 7 files

@migmartri migmartri force-pushed the 2126-attestation-cas-only-storage branch 3 times, most recently from afef5ca to 8af67c9 Compare May 4, 2026 16:27
migmartri
migmartri commented May 4, 2026
View reviewed changes
Comment thread app/controlplane/pkg/biz/workflowrun_integration_test.go Outdated
Comment thread app/controlplane/internal/service/attestation.go Outdated
@migmartri migmartri force-pushed the 2126-attestation-cas-only-storage branch 3 times, most recently from 1f0efa5 to 327efbe Compare May 4, 2026 20:06
migmartri
migmartri commented May 4, 2026
View reviewed changes
Comment thread app/controlplane/internal/service/attestation.go Outdated
@migmartri
feat(attestation): opt-in CAS-only attestation storage
1f42cb5 
Add a controlplane config flag attestations.skip_db_storage that, when
enabled and the workflow run's CAS backend is non-inline, uploads the
attestation bundle to CAS synchronously and records only the digest on
the workflow run, skipping the attestation table row. Inline backends
and the flag-off case keep the existing async upload and DB persistence
behaviour.

Refs chainloop-dev#2126

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri force-pushed the 2126-attestation-cas-only-storage branch from 327efbe to 1f42cb5 Compare May 4, 2026 20:12
@migmartri migmartri merged commit 0c7e54b into chainloop-dev:main May 4, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@matiasinsaurralde matiasinsaurralde matiasinsaurralde approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: do not store attestation in DB

2 participants

@migmartri @matiasinsaurralde