Merge pull request cli#11796 from cli/eugeene/release_filter_initiator_type

add initiator_type for attestations

Author: ejahnGithub

pkg/cmd/attestation/api/attestation.go

@@ -18,6 +18,7 @@ var ErrNoAttestationsFound = errors.New("no attestations found")
 type Attestation struct {
 	Bundle    *bundle.Bundle `json:"bundle"`
 	BundleURL string         `json:"bundle_url"`
+	Initiator string         `json:"initiator"`
 }
 
 type AttestationsResponse struct {

pkg/cmd/attestation/api/client.go

@@ -34,6 +34,7 @@ type FetchParams struct {
 	Owner         string
 	PredicateType string
 	Repo          string
+	Initiator     string
 }
 
 func (p *FetchParams) Validate() error {
@@ -147,6 +148,17 @@ func (c *LiveClient) getAttestations(params FetchParams) ([]*Attestation, error)
 			}
 
 			url = newURL
+
+			// filter by the initiator type
+			if params.Initiator != "" {
+				filtered := make([]*Attestation, 0, len(resp.Attestations))
+				for _, att := range resp.Attestations {
+					if att.Initiator == params.Initiator {
+						filtered = append(filtered, att)
+					}
+				}
+				resp.Attestations = filtered
+			}
 			attestations = append(attestations, resp.Attestations...)
 
 			return nil

pkg/cmd/attestation/api/client_test.go

@@ -5,7 +5,6 @@ import (
 
 	"github.com/cli/cli/v2/pkg/cmd/attestation/io"
 	"github.com/cli/cli/v2/pkg/cmd/attestation/test/data"
-
 	"github.com/stretchr/testify/require"
 )
 
@@ -17,7 +16,8 @@ const (
 
 func NewClientWithMockGHClient(hasNextPage bool) Client {
 	fetcher := mockDataGenerator{
-		NumAttestations: 5,
+		NumUserAttestations:   5,
+		NumGitHubAttestations: 4,
 	}
 	l := io.NewTestHandler()
 
@@ -47,12 +47,21 @@ var testFetchParamsWithOwner = FetchParams{
 	Limit:         DefaultLimit,
 	Owner:         testOwner,
 	PredicateType: "https://slsa.dev/provenance/v1",
+	Initiator:     "user",
 }
 var testFetchParamsWithRepo = FetchParams{
 	Digest:        testDigest,
 	Limit:         DefaultLimit,
 	Repo:          testRepo,
 	PredicateType: "https://slsa.dev/provenance/v1",
+	Initiator:     "user",
+}
+
+var testFetchParamsWithRepoWithGitHubInitiator = FetchParams{
+	Digest:    testDigest,
+	Limit:     DefaultLimit,
+	Repo:      testRepo,
+	Initiator: "github",
 }
 
 type getByTestCase struct {
@@ -93,6 +102,11 @@ var getByTestCases = []getByTestCase{
 		expectedAttestations: 7,
 		hasNextPage:          true,
 	},
+	{
+		name:                 "get by digest with repo and GitHub initiator",
+		params:               testFetchParamsWithRepoWithGitHubInitiator,
+		expectedAttestations: 4,
+	},
 }
 
 func TestGetByDigest(t *testing.T) {
@@ -115,7 +129,7 @@ func TestGetByDigest(t *testing.T) {
 
 func TestGetByDigest_NoAttestationsFound(t *testing.T) {
 	fetcher := mockDataGenerator{
-		NumAttestations: 5,
+		NumUserAttestations: 5,
 	}
 
 	httpClient := &mockHttpClient{}
@@ -135,7 +149,7 @@ func TestGetByDigest_NoAttestationsFound(t *testing.T) {
 
 func TestGetByDigest_Error(t *testing.T) {
 	fetcher := mockDataGenerator{
-		NumAttestations: 5,
+		NumUserAttestations: 5,
 	}
 
 	c := LiveClient{
@@ -339,7 +353,7 @@ func TestGetAttestationsRetries(t *testing.T) {
 	getAttestationRetryInterval = 0
 
 	fetcher := mockDataGenerator{
-		NumAttestations: 5,
+		NumUserAttestations: 5,
 	}
 
 	c := &LiveClient{
@@ -369,7 +383,7 @@ func TestGetAttestationsMaxRetries(t *testing.T) {
 	getAttestationRetryInterval = 0
 
 	fetcher := mockDataGenerator{
-		NumAttestations: 5,
+		NumUserAttestations: 5,
 	}
 
 	c := &LiveClient{

pkg/cmd/attestation/api/mock_client.go

@@ -10,11 +10,16 @@ func makeTestReleaseAttestation() Attestation {
 	return Attestation{
 		Bundle:    data.GitHubReleaseBundle(nil),
 		BundleURL: "https://example.com",
+		Initiator: "github",
 	}
 }
 
 func makeTestAttestation() Attestation {
-	return Attestation{Bundle: data.SigstoreBundle(nil), BundleURL: "https://example.com"}
+	return Attestation{
+		Bundle:    data.SigstoreBundle(nil),
+		BundleURL: "https://example.com",
+		Initiator: "user",
+	}
 }
 
 type MockClient struct {

pkg/cmd/attestation/api/mock_githubApiClient_test.go

@@ -27,7 +27,8 @@ func (m mockAPIClient) REST(hostname, method, p string, body io.Reader, data int
 
 type mockDataGenerator struct {
 	mock.Mock
-	NumAttestations int
+	NumUserAttestations   int
+	NumGitHubAttestations int
 }
 
 func (m *mockDataGenerator) OnRESTSuccess(hostname, method, p string, body io.Reader, data interface{}) (string, error) {
@@ -76,12 +77,15 @@ func (m *mockDataGenerator) OnREST500ErrorHandler() func(hostname, method, p str
 }
 
 func (m *mockDataGenerator) OnRESTWithNextSuccessHelper(hostname, method, p string, body io.Reader, data interface{}, hasNext bool) (string, error) {
-	atts := make([]*Attestation, m.NumAttestations)
-	for j := 0; j < m.NumAttestations; j++ {
+	atts := make([]*Attestation, m.NumUserAttestations+m.NumGitHubAttestations)
+	for j := 0; j < m.NumUserAttestations; j++ {
 		att := makeTestAttestation()
 		atts[j] = &att
 	}
-
+	for j := m.NumUserAttestations; j < m.NumUserAttestations+m.NumGitHubAttestations; j++ {
+		att := makeTestReleaseAttestation()
+		atts[j] = &att
+	}
 	resp := AttestationsResponse{
 		Attestations: atts,
 	}

pkg/cmd/attestation/verify/attestation.go

@@ -25,6 +25,7 @@ func getAttestations(o *Options, a artifact.DigestedArtifact) ([]*api.Attestatio
 			Owner:         o.Owner,
 			PredicateType: o.PredicateType,
 			Repo:          o.Repo,
+			Initiator:     "user",
 		}
 
 		attestations, err := o.APIClient.GetByDigest(params)

pkg/cmd/release/verify-asset/verify_asset.go

@@ -161,7 +161,8 @@ func verifyAssetRun(config *VerifyAssetConfig) error {
 		// The limit is set to 100 to ensure we fetch all attestations for a given SHA.
 		// While multiple attestations can exist for a single SHA,
 		// only one attestation is associated with each release tag.
-		Limit: 100,
+		Initiator: "github",
+		Limit:     100,
 	})
 	if err != nil {
 		return fmt.Errorf("no attestations found for tag %s (%s)", tagName, releaseRefDigest.DigestWithAlg())

pkg/cmd/release/verify/verify.go

@@ -143,6 +143,7 @@ func verifyRun(config *VerifyConfig) error {
 		PredicateType: shared.ReleasePredicateType,
 		Owner:         baseRepo.RepoOwner(),
 		Repo:          baseRepo.RepoOwner() + "/" + baseRepo.RepoName(),
+		Initiator:     "github",
 		// TODO: Allow this value to be set via a flag.
 		// The limit is set to 100 to ensure we fetch all attestations for a given SHA.
 		// While multiple attestations can exist for a single SHA,