feat(signing): enforce strict OIDC extraction, remove fallback

leodido · ona-agent · leodido · commit 7c393afe2f9f · 2025-11-11T15:07:41.000+01:00
Remove silent fallback to GITHUB_WORKFLOW_REF when OIDC extraction fails.
This prevents creating attestations with incorrect builder IDs that will
fail verification.

Breaking Change:
- Operations now fail fast with clear error when OIDC token extraction fails
- No longer falls back to GITHUB_WORKFLOW_REF (which creates broken attestations)
- Users must properly configure OIDC environment (id-token: write permission)

Benefits:
- Prevents wasted CI resources (fails before signing, not at verification)
- Clear error messages guide users to fix OIDC configuration
- Eliminates security risk of silent degradation to wrong builder ID
- Ensures attestations match Fulcio certificate identity

Updated tests to reflect new fail-fast behavior.

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/pkg/leeway/signing/attestation.go b/pkg/leeway/signing/attestation.go
@@ -95,10 +95,7 @@ func GenerateSignedSLSAAttestation(ctx context.Context, artifactPath string, git
 	// This is critical for compatibility with reusable workflows
 	builderID, err := extractBuilderIDFromOIDC(ctx, githubCtx)
 	if err != nil {
-		// Fallback to GITHUB_WORKFLOW_REF if OIDC token extraction fails
-		// This maintains backward compatibility but may cause verification issues
-		log.WithError(err).Warn("Failed to extract builder ID from OIDC token, falling back to GITHUB_WORKFLOW_REF")
-		builderID = fmt.Sprintf("%s/%s", githubCtx.ServerURL, githubCtx.WorkflowRef)
+		return nil, fmt.Errorf("failed to extract builder ID from OIDC token: %w", err)
 	}
 
 	log.WithFields(log.Fields{
diff --git a/pkg/leeway/signing/attestation_test.go b/pkg/leeway/signing/attestation_test.go
@@ -599,12 +599,12 @@ func TestGenerateSignedSLSAAttestation_Integration(t *testing.T) {
 	githubCtx := createMockGitHubContext()
 
 	// Test that the function exists and has the right signature
-	// We expect it to fail due to missing Sigstore environment, but that's expected
+	// We expect it to fail due to missing OIDC environment (strict mode)
 	_, err := GenerateSignedSLSAAttestation(context.Background(), artifactPath, githubCtx)
 
-	// We expect an error related to Sigstore/signing, not basic validation
+	// We expect an error related to OIDC extraction (fails fast before signing)
 	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "sign", "Error should be related to signing process")
+	assert.Contains(t, err.Error(), "failed to extract builder ID from OIDC token", "Error should be related to OIDC extraction")
 }
 
 // TestSignedAttestationResult_Structure tests the result structure
@@ -1091,10 +1091,10 @@ func TestSignProvenanceWithSigstore_EnvironmentValidation(t *testing.T) {
 	artifactPath := createTestArtifact(t, "test content")
 	githubCtx := createMockGitHubContext()
 
-	// This should fail at Sigstore environment validation
+	// This should fail at OIDC extraction (strict mode - fails fast)
 	_, err := GenerateSignedSLSAAttestation(context.Background(), artifactPath, githubCtx)
 	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "failed to sign SLSA provenance")
+	assert.Contains(t, err.Error(), "failed to extract builder ID from OIDC token")
 }
 
 func TestFetchGitHubOIDCToken(t *testing.T) {
