feat(policies): add attestation phase lifecycle control#2765
Merged
migmartri merged 4 commits intochainloop-dev:mainfrom Feb 20, 2026
Merged
feat(policies): add attestation phase lifecycle control#2765migmartri merged 4 commits intochainloop-dev:mainfrom
migmartri merged 4 commits intochainloop-dev:mainfrom
Conversation
…luation Add an AttestationPhase enum (INIT, STATUS, PUSH) and an attestation_phases field on PolicySpecV2 so policy authors can control at which attestation lifecycle phase their policy is evaluated. When no phases are specified the policy runs at all phases, preserving backwards compatibility. The init command now passes EvalPhaseInit when calling status after initialization, so policies can distinguish between init-time and explicit status-time evaluation. Closes chainloop-dev#2764 Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
migmartri
force-pushed
the
migmartri/policy-eval-lifecycle
branch
from
544be66 to
e47b11c
Compare
…cross-phase results Remove skipPolicyEvaluation in favor of eval phase hooks. Status always evaluates and displays policy results from crafting state. EvaluateAttestationPolicies now preserves attestation-level evaluations from other phases instead of replacing them. Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
…cross-phase results Remove skipPolicyEvaluation in favor of eval phase hooks. Status always reads policy evaluations from crafting state regardless of evaluation. EvaluateAttestationPolicies now preserves attestation-level evaluations from other phases instead of replacing them. Add WithSkipPolicyEvaluation to disable evaluation entirely while still displaying existing results from state. Push uses this for its internal status call and evaluates manually with EvalPhasePush afterward. Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
Remove the STATUS phase from the AttestationPhase enum, simplifying the attestation lifecycle to INIT and PUSH. Policy evaluation is moved out of the status action into the init action explicitly, following the same pattern push already uses. The status command becomes a pure read-only observer that displays existing evaluations from crafting state. Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
jiparis
reviewed
Feb 20, 2026
jiparis
approved these changes
Feb 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
supersedes #2762
Summary
AttestationPhaseenum (INIT,PUSH) to the crafting schema proto to control when attestation policies are evaluatedattestation_phasesfield onPolicySpecV2so policy authors can restrict evaluation to specific lifecycle phasesattestation statuscommand — status is now a read-only observer that displays existing evaluations from crafting stateattestation initevaluates policies explicitly atINITphase,attestation pushevaluates atPUSHphaseCloses #2764
Example