Allow a prehook for restricting workflow execution behaviour#2182
Open
nolag wants to merge 5 commits into
Open
Allow a prehook for restricting workflow execution behaviour#2182nolag wants to merge 5 commits into
nolag wants to merge 5 commits into
Conversation
✅ API Diff Results -
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a “pre-hook” execution path that can return user-enforced restrictions, and enforces those restrictions in the host by wrapping the ExecutionHelper (capability calls + secrets access), with WASM runtime support and tests.
Changes:
- Route triggers through an optional pre-hook and apply returned restrictions (plus optionally forward them to restriction-aware modules).
- Add restriction-enforcing
ExecutionHelperwrappers (including raw-secrets support) and extensive unit tests. - Add WASM standard test coverage + a small WASI rawsdk helper to return restrictions.
Reviewed changes
Copilot reviewed 13 out of 17 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflows/wasm/host/standard_tests/restrictions/main_wasip1.go | New WASM test module that emits restrictions from a pre-hook. |
| pkg/workflows/wasm/host/standard_test.go | Adds TestStandardRestrictions, refactors trigger runner helper, and tweaks test build logging. |
| pkg/workflows/wasm/host/module.go | Introduces PrehookTimeout and threads a timeout into runWasm. |
| pkg/workflows/wasm/host/internal/rawsdk/helpers_wasip1.go | Adds SendRestrictions to return restriction results from WASM. |
| pkg/workflows/host/tee_provider_test.go | Adds a nil-TEE test case (with a naming nit). |
| pkg/workflows/host/requirement_selecting_module.go | Adds pre-hook execution + restriction wrapping + restriction forwarding. |
| pkg/workflows/host/requirement_selecting_module_test.go | Moves tests into package host, adds pre-hook/restrictions behavior tests and new stubs. |
| pkg/workflows/host/module.go | Adds ExecutionHelperWithRawSecrets + RestrictionAwareModule interfaces. |
| pkg/workflows/host/mocks/execution_helper_with_raw_secrets.go | Generated mock for ExecutionHelperWithRawSecrets. |
| pkg/workflows/host/execution_restrictions.go | Implements restriction-enforcing ExecutionHelper wrappers for capabilities + secrets (+ raw secrets). |
| pkg/workflows/host/execution_restrictions_test.go | Adds broad test coverage for restriction behavior. |
| pkg/workflows/host/encryption_key_fetcher.go | Adds EncryptionKeyFetcher interface for raw secrets. |
| pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go | Regenerated proto to add Restrictions field (includes a small comment typo). |
| pkg/capabilities/v2/actions/confidentialhttp/client.pb.go | Regenerated proto output update. |
| go.mod / go.sum | Bumps chainlink-protos/cre/go dependency. |
| .mockery.yaml | Adds mockery config for ExecutionHelperWithRawSecrets. |
Files not reviewed (3)
- pkg/capabilities/v2/actions/confidentialhttp/client.pb.go: Generated file
- pkg/capabilities/v2/actions/confidentialworkflow/client.pb.go: Generated file
- pkg/workflows/host/mocks/execution_helper_with_raw_secrets.go: Generated file
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+117
to
+119
| // restrictions on the capabilities and the secrets.bool | ||
| // This is sent to avoid overhead when a TEE is not compromised, the DON will verify the restrictions on its end as well. | ||
| Restrictions *sdk.Restrictions `protobuf:"bytes,10,opt,name=restrictions,proto3" json:"restrictions,omitempty"` |
vreff
previously approved these changes
Jun 22, 2026
vreff
approved these changes
Jun 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.