Skip to content

feat: add organization setting to restrict project-scoped contracts #2602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Piskoo wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add organization setting to restrict project-scoped contracts #2602

Piskoo wants to merge 3 commits into from
+582 −253

Conversation

@Piskoo
Copy link
Collaborator

@Piskoo Piskoo commented Dec 5, 2025

This PR adds a new organization-level setting that allows administrators to restrict contract creation to only organization-level contracts, preventing project-scoped contracts from being created.

Piskoo added 3 commits December 5, 2025 08:47
@Piskoo
add org setting for preventing project scoped contracts
52daa2e 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
lint
a7d7419 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo
lint
e659ba8 
Signed-off-by: Sylwester Piskozub <[email protected]>
@Piskoo Piskoo marked this pull request as ready for review December 7, 2025 13:21
migmartri
migmartri reviewed Dec 11, 2025
View reviewed changes
app/controlplane/internal/service/workflowcontract.go
var projectID *uuid.UUID
if req.ProjectReference.IsSet() {
// Check if organization prevents project-scoped contracts
if org.PreventProjectScopedContracts {
Copy link
Member

@migmartri migmartri Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this the only place a contract is created? can you check during attestation init?

Copy link
Member

@migmartri migmartri Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to double check that a contract can only be created on-demand from this use case. I remember it was also created during a workflow creation, or attestation init.

Would you mind posting there an evaluation of those entrypoints and how this feature will work with the other preventWorkflowCreation feature?

Copy link
Member

@migmartri migmartri Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is what we want. What we want is to only allow administrators to create contracts if this setting is set

@migmartri
Copy link
Member

migmartri commented Dec 11, 2025

also, what's the use-case here? Can anybody create project contracts? can admins do it?

migmartri
migmartri requested changes Dec 11, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my inline coments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@migmartri migmartri migmartri requested changes

@jiparis jiparis Awaiting requested review from jiparis

@javirln javirln Awaiting requested review from javirln

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Piskoo @migmartri