chainloop feat(contract): reject attestation level policies in materials

feat(contract): reject attestation level policies in materials

Open Piskoo opened this issue 1 month ago • 0 comments

This PR adds validation to contract creation and update, that prevents assigning policies that contain execution path for kind ATTESTATION on material level.

Example:

For sbom-present policy

apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
  name: sbom-present
  description: desc
spec:
  policies:
    - kind: ATTESTATION
      path: sbom-present.rego

Valid contract

schema_version: v1
policies:
  attestation:
    - ref: sbom-present

Passes, the contract is created/updated

Invalid contract

schema_version: v1
policies:
  materials:
    - ref: sbom-present

Returns

ERR validation error: attestation policy "sbom-present" cannot be attached to materials
exit status 1

Already existing contracts are unaffected, invalid contract will also fail if raw contract is given during att init in --contract flag.

Oct 27 '25 13:10 Piskoo

chainloop chainloop copied to clipboard

feat(contract): reject attestation level policies in materials

Example:

Valid contract

Invalid contract

chainloop
chainloop copied to clipboard