From 822eb51aa6231dc5c87fa7bf1df0ac6f740021cc Mon Sep 17 00:00:00 2001 From: Andres Martinez Gotor Date: Wed, 10 Jun 2026 11:28:51 +0200 Subject: [PATCH] fix(provenance): use repo-scoped attestation endpoint The provenance check queried the user-scoped GitHub attestations endpoint (/users/{owner}/attestations), which only returns attestations for repositories owned by a user account. For organization-owned repositories this returns 404, causing false "invalid-provenance-attestation" failures even when the artifact was correctly attested. Switch to the repository-scoped endpoint (/repos/{owner}/{repo}/attestations), which works for both user- and organization-owned repositories. Co-authored-by: Cursor --- pkg/analysis/passes/provenance/provenance.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkg/analysis/passes/provenance/provenance.go b/pkg/analysis/passes/provenance/provenance.go index 7053df30..d4c1b9b8 100644 --- a/pkg/analysis/passes/provenance/provenance.go +++ b/pkg/analysis/passes/provenance/provenance.go @@ -70,6 +70,7 @@ func run(pass *analysis.Pass) (interface{}, error) { } owner := matches[1] + repo := matches[2] ctx, canc := context.WithTimeout(context.Background(), time.Second*30) defer canc() @@ -77,6 +78,7 @@ func run(pass *analysis.Pass) (interface{}, error) { ctx, pass.CheckParams.ArchiveFile, owner, + repo, ) if err != nil || !hasGithubProvenanceAttestationPipeline { message := "Cannot verify plugin build provenance attestation." @@ -106,13 +108,19 @@ func hasGithubProvenanceAttestationPipeline( ctx context.Context, assetPath string, owner string, + repo string, ) (bool, error) { sha256sum, err := getFileSha256(assetPath) if err != nil { return false, err } - url := fmt.Sprintf("https://api.github.com/users/%s/attestations/sha256:%s", owner, sha256sum) + url := fmt.Sprintf( + "https://api.github.com/repos/%s/%s/attestations/sha256:%s", + owner, + repo, + sha256sum, + ) req, err := http.NewRequestWithContext(ctx, "GET", url, nil) if err != nil {