Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(python): skip redundant lockfile provenance verification#9739

Merged
jdx merged 3 commits into
jdx:mainfrom
risu729:fix/python-lockfile-provenance-skip
May 10, 2026
Merged

fix(python): skip redundant lockfile provenance verification#9739
jdx merged 3 commits into
jdx:mainfrom
risu729:fix/python-lockfile-provenance-skip

Conversation

@risu729

@risu729 risu729 commented May 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Skip core Python GitHub Artifact Attestation re-verification when the lockfile already has checksum + provenance = "github-attestations" for the current platform
  • Keep downgrade protection by checking that Python GitHub attestations are still enabled before trusting a provenance-bearing lockfile entry
  • Keep locked_verify_provenance / paranoid as the opt-in path to force install-time re-verification
  • Add a focused e2e using a local fake precompiled Python tarball that would fail if attestations were re-verified

Policy alignment

The lockfile policy from #8688 and #8901 is that repeated installs may trust the lockfile checksum after provenance has already been established, while locked_verify_provenance / paranoid can force a fresh cryptographic check. The lockfile stores the provenance type, not the full attestation bundle.

This PR applies that same policy to core:python: checksum + positive github-attestations provenance is enough to skip the redundant GitHub attestation API call on normal installs. Missing provenance is not treated as verified and still goes through the existing verification path.

Relation to #9741

#9741 handles unavailable GitHub Artifact Attestations for the aqua/github backends. It does not cover core Python, because precompiled Python uses src/plugins/core/python.rs rather than those backends. This PR is still needed for Python lockfiles that already contain positive github-attestations provenance.

Related history

Source

Tests

  • cargo fmt
  • git diff --check
  • CARGO_BUILD_JOBS=1 /home/risu/.cargo/bin/cargo test --bin mise plugins::core::python::tests
  • mise run test:e2e e2e/lockfile/test_lockfile_python_skip_provenance_verify

This PR was updated by an AI coding assistant.

@greptile-apps

greptile-apps Bot commented May 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR skips redundant GitHub Artifact Attestation re-verification for core:python when the lockfile already contains both a checksum and provenance = "github-attestations" for the current platform, matching the policy already applied in the aqua/github/vfox backends since #8688 and #8901.

  • Skip logic (install_precompiled): Captures has_precompiled_lockfile_integrity (both checksum and provenance present in lock_platforms for the current platform) before verify_checksum is called, then routes to the lighter ensure_precompiled_provenance_setting_enabled path instead of the full attestation API call when the integrity flag is set and force_provenance_verify() is false.
  • Downgrade protection: The ensure_precompiled_provenance_setting_enabled helper still errors if the corresponding attestation setting has since been disabled, preserving the guard against downgrade attacks even on the fast path.
  • E2E test: A new test creates a fake Python tarball with a valid lockfile checksum + provenance entry, spins up a local HTTP server to serve it, and runs mise install python -f with invalid GitHub tokens β€” confirming the attestation API is not contacted on the skip path.

Confidence Score: 5/5

Safe to merge β€” the optimization is a pure fast-path addition, the downgrade guard is intact on the skip path, and the e2e test definitively validates the new behavior.

The change is well-scoped: it only alters the install_precompiled flow, the integrity flag is captured before verify_checksum can mutate the lockfile entry, and the downgrade check fires on every skip-path invocation. The extracted verify_precompiled_provenance is functionally identical to the old inlined code with one tightened comparison (PartialEq vs discriminant, safe for a unit-variant enum). The e2e test is a negative proof β€” it will fail loudly if the attestation API is ever contacted on the fast path.

No files require special attention.

Important Files Changed

Filename Overview
src/plugins/core/python.rs Refactors provenance verification into verify_precompiled_provenance and adds has_precompiled_lockfile_integrity / ensure_precompiled_provenance_setting_enabled helpers. Logic is sound: integrity flag is snapshotted before verify_checksum can generate a new checksum, the downgrade check is preserved on the skip path, and the discriminant comparison is correctly replaced with a derived PartialEq equality check.
e2e/lockfile/test_lockfile_python_skip_provenance_verify New e2e test that serves a fake Python tarball from a local HTTP server and verifies that mise install skips GitHub attestation re-verification when both checksum and provenance are already present in the lockfile. Correctly uses the detect_platform and wait_for_file helpers from assert.sh.

Reviews (4): Last reviewed commit: "[autofix.ci] apply automated fixes" | Re-trigger Greptile

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 9, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the Python provenance verification logic to skip re-verifying GitHub attestations when valid integrity data already exists in the lockfile, improving installation efficiency. A new end-to-end test was added to ensure this behavior. The review feedback suggests using the standard equality operator for comparing provenance types to make the code more idiomatic.

Comment thread src/plugins/core/python.rs Outdated
@risu729

This comment was marked as outdated.

Sign in to view
@risu729

This comment was marked as resolved.

Sign in to view
@risu729 risu729 force-pushed the fix/python-lockfile-provenance-skip branch from 65ae907 to f27934d Compare May 9, 2026 19:49
@risu729 risu729 marked this pull request as ready for review May 9, 2026 20:05
@jdx jdx merged commit a55bdfd into jdx:main May 10, 2026
33 checks passed
@mise-en-dev mise-en-dev mentioned this pull request May 10, 2026
Merged
@risu729 risu729 deleted the fix/python-lockfile-provenance-skip branch May 10, 2026 13:29
mise-en-dev added a commit that referenced this pull request May 11, 2026
@mise-en-dev
chore: release 2026.5.6 (#9764)
8bc9352 
### πŸš€ Features

- **(cli)** add minimum release age flag to lock and ls-remote by
@risu729 in [#9269](#9269)
- **(config)** add run field for hooks by @risu729 in
[#9718](#9718)
- **(github)** add native oauth token source by @jdx in
[#9654](#9654)
- **(oci)** scope build to project config by default by @jdx in
[#9766](#9766)
- add support for prefixed latest version queries in outdated checks by
@roele in [#9767](#9767)

### πŸ› Bug Fixes

- **(activate)** guard bash chpwd hook under nounset by @risu729 in
[#9716](#9716)
- **(backend)** date-check latest stable fast path by @risu729 in
[#9650](#9650)
- **(config)** parse core tool options consistently by @risu729 in
[#9742](#9742)
- **(exec)** propagate __MISE_DIFF so nested mise recovers pristine PATH
by @jdx in [#9765](#9765)
- **(forgejo)** include prereleases when opted in by @risu729 in
[#9717](#9717)
- **(github)** avoid caching empty release assets by @risu729 in
[#9616](#9616)
- **(java)** resolve lockfile URLs from metadata by @risu729 in
[#9719](#9719)
- **(lock)** cache unavailable github attestations by @risu729 in
[#9741](#9741)
- **(pipx)** preserve options when reinstalling tools by @risu729 in
[#9663](#9663)
- **(python)** skip redundant lockfile provenance verification by
@risu729 in [#9739](#9739)
- **(vfox)** run pre_uninstall hook by @risu729 in
[#9662](#9662)

### 🚜 Refactor

- **(schema)** extract tool options definition by @risu729 in
[#9649](#9649)

### ⚑ Performance

- **(aqua)** bake rkyv aqua package blobs by @risu729 in
[#9535](#9535)

### πŸ“¦οΈ Dependency Updates

- lock file maintenance by @renovate[bot] in
[#9773](#9773)

### πŸ“¦ Registry

- add vector
([github:vectordotdev/vector](https://github.com/vectordotdev/vector))
by @kquinsland in [#9761](#9761)
- add oc and openshift-install (http backend) by @konono in
[#9669](#9669)

### New Contributors

- @konono made their first contribution in
[#9669](#9669)
- @kquinsland made their first contribution in
[#9761](#9761)
@BrewTestBot BrewTestBot mentioned this pull request May 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@risu729 @jdx