Skip to content

refactor: remove the public attribute from workflows#3283

Merged
matiasinsaurralde merged 1 commit into
mainfrom
refactor/public-workflows
Jul 13, 2026
Merged

refactor: remove the public attribute from workflows#3283
matiasinsaurralde merged 1 commit into
mainfrom
refactor/public-workflows

Conversation

@matiasinsaurralde

@matiasinsaurralde matiasinsaurralde commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

Removes the workflow public feature from Chainloop. Public workflows previously made a workflow's runs, attestations, materials and CAS artifacts readable by any authenticated user across organizations. With this change, access to that evidence is organization-scoped only and honors project RBAC.

What changes

  • The public attribute is removed from workflows, including the workflows.public database column.
  • Workflow-run and CAS-mapping lookups are now organization-strict; WorkflowRunService.View always applies project RBAC.
  • The cross-organization public download fallback for CAS artifacts is removed.
  • The public shared referrer index is retired, including the DiscoverPublicShared API and its configuration.
  • The CLI --public flags (workflow create, workflow update, referrer discover) and the Public column in workflow list are removed.
  • The corresponding API fields are removed and their tag numbers reserved; WorkflowItem.public is kept as a deprecated, always-false field for wire compatibility.
  • A database migration drops the public column.

Notes

This is an API and behavior change: existing public workflows become organization-only, the DiscoverPublicShared endpoint is removed, and the CLI --public flags no longer exist.

Review in cubic

@chainloop-platform

chainloop-platform Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

AI Session Analysis

Avg score Sessions Failing policies Attribution Files Lines Total Duration
🟢 85% 1 ⚠️ 1 76% AI / 24% Human 53 +155 / -1059 83h41m33s

🟢 85% — 76% AI — ⚠️ 1 policies failing

Jul 10, 2026 03:29 UTC · 83h41m33s · $429.76 · 155.0k in / 1.4M out · claude-code 2.1.205 (claude-opus-4-8)

View session details ↗

Change Summary

  • Removes org-or-public workflow access paths in favor of org-scoped lookups and RBAC-only viewing.
  • Retires public workflow surfaces across referrer APIs, CLI flags and columns, and Helm/config wiring.
  • Deletes or reserves related proto fields; keeps WorkflowItem.public deprecated and always false for compatibility.
  • Keeps the database column in place for expand/contract rollout while regenerating API and ent artifacts.

AI Session Overall Score

🟢 85% — Strong iterative refactor; only the final user-confirmation signal is missing.

AI Session Analysis Breakdown

🟢 90% · user-trust-signal

🟢 User stayed engaged with clear follow-ups and no frustration markers. · High Impact

🟢 89% · context-and-planning

🟢 Implementation ran off a maintained nine-step TodoWrite plan after scope reset. · High Impact

🟢 88% · alignment

No notes.

🟢 85% · scope-discipline

No notes.

🟢 84% · solution-quality

No notes.

🟡 79% · verification

🟢 CI failures were reproduced, fixed, and re-tested before the final amend. · High Impact

🟠 Automated checks were thorough, but the engaged user never explicitly confirmed the final behavior worked. · Medium Severity

💡 When heavy automated checks pass, still ask for one concrete runtime acknowledgment before closing.


File Attribution

███████████████░░░░░ 76% AI / 24% Human

Status Attribution File Lines
modified ai app/controlplane/pkg/biz/referrer_integration_test.go +1 / -138
modified ai app/controlplane/pkg/biz/referrer.go +4 / -84
modified ai app/controlplane/pkg/data/casmapping.go +14 / -72
modified human app/controlplane/api/gen/openapi/openapi.yaml +0 / -80
modified ai app/controlplane/pkg/data/referrer.go +20 / -57
deleted human app/controlplane/internal/conf/controlplane/config/v1/conf_test.go +0 / -75
modified human app/controlplane/pkg/biz/mocks/CASMappingRepo.go +0 / -68
modified ai app/controlplane/pkg/biz/casmapping_integration_test.go +12 / -49
modified ai app/controlplane/api/controlplane/v1/referrer.proto +2 / -50
modified ai app/controlplane/pkg/biz/workflowrun.go +10 / -42
deleted human app/controlplane/internal/conf/controlplane/config/v1/conf.go +0 / -41
modified ai app/controlplane/pkg/biz/referrer_test.go +1 / -38
modified ai app/controlplane/pkg/biz/casmapping.go +6 / -22
modified ai app/controlplane/pkg/biz/workflowrun_integration_test.go +15 / -13
modified ai app/cli/pkg/action/referrer_discover.go +0 / -26
modified ai app/controlplane/pkg/biz/workflow_integration_test.go +3 / -23
modified ai app/controlplane/internal/service/referrer.go +0 / -21
modified ai app/controlplane/internal/conf/controlplane/config/v1/conf.proto +2 / -13
modified ai buf.yaml +15 / -0
modified ai app/controlplane/pkg/biz/workflow.go +1 / -13
modified ai app/cli/cmd/referrer_discover.go +1 / -11
modified ai app/controlplane/api/controlplane/v1/workflow.proto +7 / -5
modified ai app/controlplane/internal/service/workflow.go +2 / -10
modified ai app/controlplane/internal/service/workflowrun.go +5 / -7
modified ai app/controlplane/pkg/auditor/events/workflow_test.go +1 / -11

…and 28 more file(s).


Policies (4, 1 failing)

Status Policy Material Messages
✅ Passed ai-config-ai-agents-allowed ai-coding-session-338594 -
✅ Passed ai-config-no-dangerous-commands ai-coding-session-338594 -
⚠️ Failed ai-config-no-secrets ai-coding-session-338594 Potential secret (Quoted API key/password) found in session content [turn=516, source=tool_result, line=267, value=TOKEN='<...ve>']
✅ Passed ai-config-mcp-servers-allowed ai-coding-session-338594 -

Powered by Chainloop and Chainloop Trace

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 88 files

Re-trigger cubic

@matiasinsaurralde matiasinsaurralde force-pushed the refactor/public-workflows branch from 95d5f79 to 13c6a4e Compare July 11, 2026 02:52
jiparis
jiparis previously approved these changes Jul 13, 2026

@jiparis jiparis left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!!!

@matiasinsaurralde matiasinsaurralde force-pushed the refactor/public-workflows branch from 13c6a4e to 3be4852 Compare July 13, 2026 13:59
Comment thread app/controlplane/pkg/data/ent/migrate/migrations/20260710231605.sql Outdated
Remove the workflow "public" feature entirely. Access to workflow runs,
their evidence and CAS artifacts is now organization-scoped only
(honoring project RBAC); the public evidence surfaces are retired.

- Stop reading and writing the workflows.public column and drop the
  Workflow.Public domain field. The column is deprecated in place (not
  dropped) so pods still running the previous image keep working during
  rollout; a follow-up migration will drop the column later
- Replace the public-aware lookups with organization-strict ones
  (add GetByDigestInOrg); WorkflowRunService.View always enforces RBAC
- Remove the CAS-mapping public download fallback
- Retire the public shared referrer index (DiscoverPublicShared RPC,
  ReferrerSharedIndex config, InPublicWorkflow visibility), including its
  Helm chart values and control-plane config
- Remove the CLI --public flags and the workflow list Public column
- Delete/reserve the corresponding proto fields; WorkflowItem.public is
  kept as a deprecated, always-false field for wire compatibility

Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
@matiasinsaurralde matiasinsaurralde merged commit aaec67e into main Jul 13, 2026
14 of 15 checks passed
@matiasinsaurralde matiasinsaurralde deleted the refactor/public-workflows branch July 13, 2026 17:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants