From b60dd79b6b29fd25ba94d2864d9d8c07babb13d9 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Sat, 16 May 2026 12:51:33 +0200 Subject: [PATCH] fix(controlplane): allow workflow-scoped API tokens in find-or-create FindOrCreateWorkflow rejected every workflow-scoped API token, including calls that targeted the token's own workflow. The check now compares the request's workflow name against the token's scope and only forbids cross-workflow calls. Assisted-by: Claude Code Signed-off-by: Miguel Martinez Trivino Chainloop-Trace-Sessions: 3c7034e8-bf8f-485b-a6ee-5b8628b963ef, 72212199-5c7a-45d2-ab00-3ae15eb8e651 --- app/controlplane/internal/service/attestation.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controlplane/internal/service/attestation.go b/app/controlplane/internal/service/attestation.go index 974541762..8cf42c540 100644 --- a/app/controlplane/internal/service/attestation.go +++ b/app/controlplane/internal/service/attestation.go @@ -757,8 +757,8 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP return nil, errors.NotFound("not found", "neither robot account nor API token found") } - // Workflow-scoped API tokens cannot create or look up other workflows. - if token := entities.CurrentAPIToken(ctx); token != nil && token.WorkflowID != nil { + // Workflow-scoped API tokens may only target their own workflow. + if token := entities.CurrentAPIToken(ctx); token != nil && token.WorkflowName != nil && *token.WorkflowName != req.GetWorkflowName() { return nil, errors.Forbidden("forbidden", "API token is workflow-scoped and cannot create or look up other workflows") }