Skip to content

fix(signing): skip attestation upload when artifact exists #280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 18, 2025
Merged

fix(signing): skip attestation upload when artifact exists #280

merged 2 commits into from
Nov 18, 2025

Conversation

@leodido
Copy link
Contributor

@leodido leodido commented Nov 18, 2025
edited
Loading

Problem

Multiple workflows building the same artifact concurrently can overwrite each other's SLSA attestations, causing verification failures. This happens when:

  1. Workflow A builds artifact (checksum A), uploads to S3, signs it, uploads attestation A
  2. Workflow B builds artifact (checksum B), finds artifact exists (skips upload), signs LOCAL artifact B, uploads attestation B
  3. Result: S3 has artifact A + attestation B → verification fails

Part of https://linear.app/ona-team/issue/CLC-2096/prevent-attestation-overwrites-in-concurrent-builds

Solution

Check both artifact and attestation existence before uploading:

  1. Both exist: Skip both uploads (prevents overwrites from concurrent builds)
  2. Only artifact exists: Upload attestation only (handles old builds before SLSA)
  3. Neither exists: Upload both (normal flow)
  4. HasFile check fails: Fallback to upload (safe default)

This ensures:

  • Concurrent builds don't overwrite each other's attestations
  • Old artifacts without attestations get attestations added
  • Safe fallback behavior when cache checks fail

Changes

Code Changes

  • Modified UploadArtifactWithAttestation to check attestation existence when artifact exists
  • Added logic to upload attestation only when artifact exists but attestation is missing
  • Updated logging to clearly indicate which scenario is occurring
  • Maintained safe fallback behavior when HasFile checks fail

Test Changes

  • Updated TestArtifactUploader_SkipsExistingArtifacts to verify both artifact and attestation exist
  • Added TestArtifactUploader_UploadsAttestationWhenMissing to test missing attestation scenario
  • Updated TestArtifactUploader_SimulatesDownloadedArtifactWorkflow to include attestation in setup
  • Updated TestArtifactUploader_PreventsAttestationOverwrite to verify race condition fix
  • Added TestArtifactUploader_AttestationCheckError to test fallback when attestation check fails

Testing

All tests pass:

  • 19 ArtifactUploader tests pass (added 2 new tests)
  • Complete signing package test suite passes (6.1s)
  • New tests verify all three scenarios work correctly

@leodido leodido self-assigned this Nov 18, 2025
@leodido @ona-agent
fix(signing): skip attestation upload when artifact exists
5fe1c50 
Prevents SLSA verification failures caused by attestation overwrites
in concurrent builds. When an artifact already exists in remote cache,
skip both artifact and attestation upload to preserve the existing
artifact's attestation.

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido force-pushed the fix/slsa-attestation-skip-upload branch from 44b762f to 5fe1c50 Compare November 18, 2025 14:00
geropl
geropl approved these changes Nov 18, 2025
View reviewed changes
Copy link
Member

@geropl geropl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@leodido @ona-agent
fix(signing): check attestation existence before skipping upload
2df617f 
When artifact exists, check if attestation also exists:
- If both exist: skip both uploads (prevents overwrites)
- If only artifact exists: upload attestation only (handles old builds)
- If HasFile check fails: fallback to upload (safe default)

This handles the case where artifacts exist from old builds before
SLSA attestation was implemented, ensuring attestations are uploaded
for those artifacts.

Co-authored-by: Ona <no-reply@ona.com>
@leodido leodido merged commit 0c95ac4 into main Nov 18, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@geropl geropl geropl approved these changes

@corneliusludmann corneliusludmann Awaiting requested review from corneliusludmann

@csweichel csweichel Awaiting requested review from csweichel

@iQQBot iQQBot Awaiting requested review from iQQBot

@kylos101 kylos101 Awaiting requested review from kylos101

Assignees

@leodido leodido

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@leodido @geropl