Skip to content

refactor: remove the public attribute from workflows#3283

Open
matiasinsaurralde wants to merge 1 commit into
mainfrom
refactor/public-workflows
Open

refactor: remove the public attribute from workflows#3283
matiasinsaurralde wants to merge 1 commit into
mainfrom
refactor/public-workflows

Conversation

@matiasinsaurralde

@matiasinsaurralde matiasinsaurralde commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Removes the workflow public feature from Chainloop. Public workflows previously made a workflow's runs, attestations, materials and CAS artifacts readable by any authenticated user across organizations. With this change, access to that evidence is organization-scoped only and honors project RBAC.

What changes

  • The public attribute is removed from workflows, including the workflows.public database column.
  • Workflow-run and CAS-mapping lookups are now organization-strict; WorkflowRunService.View always applies project RBAC.
  • The cross-organization public download fallback for CAS artifacts is removed.
  • The public shared referrer index is retired, including the DiscoverPublicShared API and its configuration.
  • The CLI --public flags (workflow create, workflow update, referrer discover) and the Public column in workflow list are removed.
  • The corresponding API fields are removed and their tag numbers reserved; WorkflowItem.public is kept as a deprecated, always-false field for wire compatibility.
  • A database migration drops the public column.

Notes

This is an API and behavior change: existing public workflows become organization-only, the DiscoverPublicShared endpoint is removed, and the CLI --public flags no longer exist.

Review in cubic

@chainloop-platform

chainloop-platform Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟢 86% 1 ⚠️ 1 74% AI / 26% Human 56 +165 / -1072 23h17m21s

🟢 86% — 74% AI — ⚠️ 1 policies failing

Jul 10, 2026 03:29 UTC · 23h17m21s · $383.33 · 154.9k in / 1.3M out · claude-code 2.1.205 (claude-opus-4-8)

View session details ↗

Change Summary

  • Removes the workflow public attribute across controlplane, CLI, and API surfaces.
  • Retires public-shared referrer behavior, related config, and the supporting migration/generated artifacts.
  • Tightens organization-scoped lookups and restores explicit CAS-mapping workflow-run validation after CI exposed a regression.
  • Verifies the branch with builds, targeted and broad Go tests, buf breaking, and make api idempotence checks.

AI Session Overall Score

🟢 86% — Well-planned, high-confidence refactor; only final user confirmation is missing.

AI Session Analysis Breakdown

🟢 92% · alignment

No notes.

🟢 91% · user-trust-signal

No notes.

🟢 90% · scope-discipline

🟢 Staging explicitly excluded local configs and analysis docs from the commit. · High Impact

🟢 88% · context-and-planning

🟢 AI wrote a 9-step plan before starting the implementation phase. · High Impact

🟢 86% · solution-quality

No notes.

🟡 75% · verification

🟢 CI failures were reproduced, fixed, and rechecked with broad test coverage. · High Impact

🟠 The user stayed active but never explicitly confirmed the final branch behavior after the last fixes. · Medium Severity

💡 When the user is present, close with a concrete confirmation step instead of relying only on self-reported test output.


File Attribution

██████████████░░░░░░ 74% AI / 26% Human

Status Attribution File Lines
modified ai app/controlplane/pkg/biz/referrer_integration_test.go +1 / -138
modified ai app/controlplane/pkg/biz/referrer.go +4 / -84
modified ai app/controlplane/pkg/data/casmapping.go +14 / -72
modified human app/controlplane/api/gen/openapi/openapi.yaml +0 / -80
modified ai app/controlplane/pkg/data/referrer.go +20 / -57
deleted human app/controlplane/internal/conf/controlplane/config/v1/conf_test.go +0 / -75
modified human app/controlplane/pkg/biz/mocks/CASMappingRepo.go +0 / -68
modified ai app/controlplane/pkg/biz/casmapping_integration_test.go +12 / -49
modified ai app/controlplane/api/controlplane/v1/referrer.proto +2 / -50
modified ai app/controlplane/pkg/biz/workflowrun.go +10 / -42
deleted human app/controlplane/internal/conf/controlplane/config/v1/conf.go +0 / -41
modified ai app/controlplane/pkg/biz/referrer_test.go +1 / -38
modified ai app/controlplane/pkg/biz/casmapping.go +6 / -22
modified ai app/controlplane/pkg/biz/workflowrun_integration_test.go +15 / -13
modified ai app/cli/pkg/action/referrer_discover.go +0 / -26
modified ai app/controlplane/pkg/biz/workflow_integration_test.go +3 / -23
modified ai app/controlplane/internal/service/referrer.go +0 / -21
modified human app/controlplane/pkg/data/ent/migrate/schema.go +8 / -9
modified ai app/controlplane/internal/conf/controlplane/config/v1/conf.proto +2 / -13
modified ai buf.yaml +15 / -0
modified ai app/controlplane/pkg/biz/workflow.go +1 / -13
modified ai app/cli/cmd/referrer_discover.go +1 / -11
modified ai app/controlplane/api/controlplane/v1/workflow.proto +7 / -5
modified ai app/controlplane/internal/service/workflow.go +2 / -10
modified ai app/controlplane/internal/service/workflowrun.go +5 / -7

…and 31 more file(s).


Policies (4, 1 failing)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-338594 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-338594 -
⚠️ Failed ai-config-no-secrets ai-coding-session-338594 Potential secret (Quoted API key/password) found in session content [turn=516, source=tool_result, line=267, value=TOKEN='<...ve>']
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-338594 -

Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 88 files

Re-trigger cubic

Remove the workflow "public" feature entirely. Access to workflow runs,
their evidence and CAS artifacts is now organization-scoped only
(honoring project RBAC); the public evidence surfaces are retired.

- Drop the workflows.public column and the Workflow.Public field
- Replace the public-aware lookups with organization-strict ones
  (add GetByDigestInOrg); WorkflowRunService.View always enforces RBAC
- Remove the CAS-mapping public download fallback
- Retire the public shared referrer index (DiscoverPublicShared RPC,
  ReferrerSharedIndex config, InPublicWorkflow visibility), including its
  Helm chart values and control-plane config
- Remove the CLI --public flags and the workflow list Public column
- Delete/reserve the corresponding proto fields; WorkflowItem.public is
  kept as a deprecated, always-false field for wire compatibility

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde matiasinsaurralde force-pushed the refactor/public-workflows branch from 95d5f79 to 13c6a4e Compare July 11, 2026 02:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant