fix(lock): cache unavailable github attestations#9741
Conversation
Greptile SummaryThis PR adds
Confidence Score: 5/5Safe to merge: the negative cache is correctly scoped, mutual exclusivity with verified provenance is enforced at every write site, and force-verify paths re-probe as intended. The mutual-exclusivity invariant between provenance and github_attestations is consistently maintained across serialization, deserialization, merge, lock-time, and install-time paths in both backends. The skip_cached_absent_attestations guard checks !force_provenance_verify() so the negative cache is never silently honoured when the user explicitly requests re-verification. The new tests cover roundtrip serialization, provenance-wins-over-unavailable scenarios, regression detection, and the is_empty helper. No correctness issues were identified. No files require special attention. Important Files Changed
Reviews (6): Last reviewed commit: "Merge branch 'main' into fix/github-atte..." | Re-trigger Greptile |
|
CI note: the failing checks appear unrelated to this PR.
All code/build/lint/Linux e2e/macOS/Windows unit checks otherwise passed. This comment was generated by an AI coding assistant. |
There was a problem hiding this comment.
Code Review
This pull request introduces a negative cache mechanism for GitHub artifact attestations by adding a GithubAttestationsUnavailable provenance type. This state allows the system to record that attestations were checked and found missing, preventing redundant API probes during future installs while maintaining standard verification for other types like SLSA or checksums. The changes affect the lockfile schema, documentation, and the Aqua, GitHub, and vfox backends. Feedback suggests refactoring the verify_github_artifact_attestations method in the Aqua backend to improve clarity by using a more descriptive return type instead of a boolean and separating side effects from the verification logic.
|
CI note for latest head
Passing checks include This comment was generated by an AI coding assistant. |
This comment was marked as outdated.
This comment was marked as outdated.
### 🚀 Features - **(cli)** add minimum release age flag to lock and ls-remote by @risu729 in [#9269](#9269) - **(config)** add run field for hooks by @risu729 in [#9718](#9718) - **(github)** add native oauth token source by @jdx in [#9654](#9654) - **(oci)** scope build to project config by default by @jdx in [#9766](#9766) - add support for prefixed latest version queries in outdated checks by @roele in [#9767](#9767) ### 🐛 Bug Fixes - **(activate)** guard bash chpwd hook under nounset by @risu729 in [#9716](#9716) - **(backend)** date-check latest stable fast path by @risu729 in [#9650](#9650) - **(config)** parse core tool options consistently by @risu729 in [#9742](#9742) - **(exec)** propagate __MISE_DIFF so nested mise recovers pristine PATH by @jdx in [#9765](#9765) - **(forgejo)** include prereleases when opted in by @risu729 in [#9717](#9717) - **(github)** avoid caching empty release assets by @risu729 in [#9616](#9616) - **(java)** resolve lockfile URLs from metadata by @risu729 in [#9719](#9719) - **(lock)** cache unavailable github attestations by @risu729 in [#9741](#9741) - **(pipx)** preserve options when reinstalling tools by @risu729 in [#9663](#9663) - **(python)** skip redundant lockfile provenance verification by @risu729 in [#9739](#9739) - **(vfox)** run pre_uninstall hook by @risu729 in [#9662](#9662) ### 🚜 Refactor - **(schema)** extract tool options definition by @risu729 in [#9649](#9649) ### ⚡ Performance - **(aqua)** bake rkyv aqua package blobs by @risu729 in [#9535](#9535) ### 📦️ Dependency Updates - lock file maintenance by @renovate[bot] in [#9773](#9773) ### 📦 Registry - add vector ([github:vectordotdev/vector](https://github.com/vectordotdev/vector)) by @kquinsland in [#9761](#9761) - add oc and openshift-install (http backend) by @konono in [#9669](#9669) ### New Contributors - @konono made their first contribution in [#9669](#9669) - @kquinsland made their first contribution in [#9761](#9761)
Summary
github_attestations = "unavailable"as a checksum-backed negative cache for GitHub Artifact Attestationsprovenancereserved for positive provenance types (github-attestations,slsa,cosign,minisign)locked_verify_provenance/paranoidre-verification behavior intactPrevious plan
The project item proposed caching a negative GitHub Artifact Attestations result (404 / empty response) in
mise.lockso repeated installs do not keep calling the attestation API for the same checksum-backed artifact, while still running checksum verification and any other configured provenance paths.This PR keeps that plan, but follows the lockfile provenance policy by storing the negative cache outside
provenanceasgithub_attestations = "unavailable". A missing attestation is not provenance, so it should not satisfy provenance downgrade checks or suppress SLSA/Cosign/Minisign.Policy and history
mise install --lockedstill called GitHub APIs despite lockfile URLs and checksums.locked_verify_provenance/paranoidcan force install-time re-verification.So the current policy is: the lockfile stores the provenance type, not the full attestation bundle. For the current platform it should only record positive provenance after verification. Future installs can trust the checksum by default and skip re-verification unless force verification is enabled.
Can attestations be added later?
Yes. GitHub's docs show binary artifact attestations are generated after the artifact exists by running
actions/attestwith asubject-path: https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations#generating-build-provenance-for-binariesGitHub's REST API also lists attestations by subject digest, not by a one-time release-asset upload event: https://docs.github.com/en/rest/orgs/attestations#list-attestations
That means a project can upload a release asset first and create an attestation for that same digest later.
github_attestations = "unavailable"is only a snapshot of what mise observed when this lockfile entry was written, not a permanent fact about the release.Tradeoffs
github_attestations = "unavailable"was written.mise lockrun is the clear way to re-probe and persistprovenance = "github-attestations"if attestations appear later.MISE_LOCKED_VERIFY_PROVENANCE=1 mise installcan also re-probe during install, and can persist the replacement when the normal install lockfile update path runs for a newly installed version.Context
Addresses the project item: https://github.com/users/risu729/projects/3/views/1?pane=issue&itemId=185170127
Related source discussion: #8677
Related PRs: #8679, #8688, #8781, #8901
Tests
cargo check -qcargo test -q github_attestations_unavailablecargo test -q test_provenance_cargo test -q test_verified_attestation_to_provenance_typemise run lintThis PR was generated by an AI coding assistant.