Remove backward compatibility fallback for missing provenance bundles #293
Description
Context
After PR #292, we added a backward compatibility fallback to handle artifacts built before provenance bundles were stored externally. This allows builds to succeed even when dependencies don't have .provenance.jsonl files.
Why Remove It
This fallback results in incomplete provenance (missing transitive dependencies). Once all cached artifacts have provenance bundles, we should remove this fallback to ensure provenance completeness.
Removal Criteria
- No "Dependency provenance bundle not found" warnings for 2+ consecutive weeks
- All CI workflows using Leeway v0.15.0-rc5 or later
- Verified: All
.tar.gzfiles in S3 cache have corresponding.provenance.jsonlfiles - Monitoring shows zero occurrences of missing provenance bundles
Verification Commands
# Check for artifacts without provenance in S3
aws s3 ls s3://<...>/ --recursive | \
grep "\.tar\.gz$" | \
while read -r line; do
key=$(echo "$line" | awk '{print $4}')
provenance_key="${key}.provenance.jsonl"
if ! aws s3 ls "s3://<...>/$provenance_key" &>/dev/null; then
echo "Missing provenance: $key"
fi
done
# Check logs for warnings (should be zero)
kubectl logs -l app=leeway-builder --since=2w | grep "Dependency provenance bundle not found" | wc -lImplementation
Remove the if errors.Is(err, ErrNoAttestationBundle) block in pkg/leeway/provenance.go:getDependenciesProvenanceBundles() and restore the original error return.
Timeline
Expected removal date: 2025-12-15 (4 weeks after v0.15.0-rc5 deployment)
Related
- PR fix: upload and download provenance bundles in S3 cache #292: Provenance bundle upload/download support
- PR feat!: store in-toto provenance outside tar.gz #283: Moved provenance outside tar.gz