Skip to content

fix(controlplane): allow workflow-scoped API tokens in find-or-create#3123

Merged
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:fix/workflow-scoped-tokens-find-or-create
May 18, 2026
Merged

fix(controlplane): allow workflow-scoped API tokens in find-or-create#3123
migmartri merged 1 commit into
chainloop-dev:mainfrom
migmartri:fix/workflow-scoped-tokens-find-or-create

Conversation

@migmartri
Copy link
Copy Markdown
Member

@migmartri migmartri commented May 16, 2026
edited
Loading

Summary

AttestationService.FindOrCreateWorkflow rejected every workflow-scoped API token (token.WorkflowID != nil), so a token issued for workflow X could not even call FindOrCreate against X itself. The check now compares the request's workflow name to the token's own WorkflowName and only forbids cross-workflow calls.

This contribution was made with the assistance of AI (Claude Code).

@chainloop-platform
Copy link
Copy Markdown
Contributor

chainloop-platform Bot commented May 16, 2026
edited
Loading

AI Session Analysis

Missing AI Coding Sessions

We detected commits in this PR that were AI-assisted, but the matching Chainloop Trace session(s) could not be found in Chainloop.

Please make sure the AI coding session evidence has been sent by the Chainloop CLI, or add the skip-ai-session label to this PR to bypass this check.

Learn more about Chainloop Trace.

Powered by Chainloop and Chainloop Trace

@migmartri migmartri requested a review from a team May 16, 2026 10:53
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Re-trigger cubic

@migmartri migmartri marked this pull request as draft May 16, 2026 11:11
@migmartri
fix(controlplane): allow workflow-scoped API tokens in find-or-create
b60dd79 
FindOrCreateWorkflow rejected every workflow-scoped API token,
including calls that targeted the token's own workflow. The check
now compares the request's workflow name against the token's
scope and only forbids cross-workflow calls.

Assisted-by: Claude Code
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Chainloop-Trace-Sessions: 3c7034e8-bf8f-485b-a6ee-5b8628b963ef, 72212199-5c7a-45d2-ab00-3ae15eb8e651
@migmartri migmartri force-pushed the fix/workflow-scoped-tokens-find-or-create branch from fdc4bf8 to b60dd79 Compare May 16, 2026 11:12
@migmartri migmartri mentioned this pull request May 16, 2026
Open
@migmartri migmartri marked this pull request as ready for review May 16, 2026 19:09
@migmartri migmartri merged commit c175efb into chainloop-dev:main May 18, 2026
14 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@javirln javirln javirln approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migmartri @javirln