fix(cli): skip policy evaluation during attestation init status display#2762
Closed
migmartri wants to merge 6 commits intochainloop-dev:mainfrom
Closed
fix(cli): skip policy evaluation during attestation init status display#2762migmartri wants to merge 6 commits intochainloop-dev:mainfrom
migmartri wants to merge 6 commits intochainloop-dev:mainfrom
Conversation
The init command calls attestation status immediately after initialization to show the current state. This was triggering policy evaluation against an empty attestation statement, which is unnecessary and confusing. Fixes chainloop-dev#2761 Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
…and push The init command calls attestation status after initialization to display state. This triggered policy evaluation against an empty attestation, which is unnecessary. The push command also called status for display purposes and then evaluated policies again separately with the final statement, causing duplicate evaluations. Pass WithSkipPolicyEvaluation() to both internal status calls since the mechanism already existed but wasn't being used. Fixes chainloop-dev#2761 Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
The status call in push was skipping policy evaluation (to avoid duplicate work), but this also skipped reading existing evaluations from the crafting state. Move GetPolicyEvaluations outside the skip block so status always reads existing evaluations, and populate the status result in push after the actual policy evaluation completes. Fixes chainloop-dev#2761 Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
All callers are within the action package, no need to export it. Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Piskoo
approved these changes
Feb 20, 2026
jiparis
reviewed
Feb 20, 2026
| return nil, fmt.Errorf("creating status action: %w", err) | ||
| } | ||
| attestationStatus, err := statusAction.Run(ctx, attestationID) | ||
| attestationStatus, err := statusAction.Run(ctx, attestationID, WithSkipPolicyEvaluation()) |
Member
There was a problem hiding this comment.
Looking at the code, it might not make sense to call StatusAction at this point, but doing it after it has been rendered and all evaluations have been done.
jiparis
reviewed
Feb 20, 2026
| } | ||
|
|
||
| res, err := statusAction.Run(cmd.Context(), attestationID) | ||
| res, err := statusAction.Run(cmd.Context(), attestationID, action.WithSkipPolicyEvaluation()) |
Member
There was a problem hiding this comment.
Here we may be losing relevant evaluations (git commit signature, crafter checks, gather info, PR metadata, etc)
Member
Author
There was a problem hiding this comment.
ok, I am going to stop this PR and instead work on a lifecycle management per-policy.
Thanks
Member
Author
|
replaced by #2765 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Both
attestation initandattestation pushcallAttestationStatus.Run()internally for display purposes. Previously, each of these calls triggered a full policy re-evaluation which was either unnecessary (init evaluating against an empty attestation) or redundant (push evaluating twice).This change passes
WithSkipPolicyEvaluation()to these internal status calls so they skip re-evaluation. Existing policy evaluations stored in the crafting state are always included in the result regardless of this flag. In the push flow, the status result is explicitly populated with policy evaluations after the push performs its own evaluation.Fixes #2761