Skip to content

fix - be able to work with regex in attestation check#9327

Merged
jdx merged 1 commit intojdx:mainfrom
monotek:be-able-to-use-regex-in-aqua-registry-attestation
Apr 23, 2026
Merged

fix - be able to work with regex in attestation check#9327
jdx merged 1 commit intojdx:mainfrom
monotek:be-able-to-use-regex-in-aqua-registry-attestation

Conversation

@monotek
Copy link
Copy Markdown
Contributor

@monotek monotek commented Apr 23, 2026
edited
Loading

Fixes failing install if regex is used in github url of aqua registry.
See error below:

mise use updatecli
[email protected]       verify GitHub artifact attestations                                                                                                                                                                                                                                                                 ◞
mise ERROR Failed to install aqua:updatecli/updatecli@latest: GitHub artifact attestations verification failed: Verification failed: Workflow verification failed: expected 'updatecli/updatecli/\.github/workflows/release\.yaml', found certificate: Some("https://github.com/updatecli/updatecli/.github/workflows/release.yaml@refs/tags/v0.116.3"), provenance: Some(".github/workflows/release.yaml")
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

@monotek monotek force-pushed the be-able-to-use-regex-in-aqua-registry-attestation branch from 84d4b93 to ef73dfa Compare April 23, 2026 18:29
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a regex unescaping mechanism for signer_workflow strings in the Aqua backend to ensure compatibility with string-based verification tools. The feedback suggests optimizing the unescape_regex_literal function by using Cow<'_, str> to avoid unnecessary string allocations when no backslashes are present in the input.

Comment thread src/backend/aqua.rs Outdated
Comment on lines +2014 to +2029
fn unescape_regex_literal(pattern: &str) -> String {
let mut out = String::with_capacity(pattern.len());
let mut chars = pattern.chars();
while let Some(c) = chars.next() {
if c == '\\' {
if let Some(next) = chars.next() {
out.push(next);
} else {
out.push(c);
}
} else {
out.push(c);
}
}
out
}
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The unescape_regex_literal function can be optimized to avoid unnecessary string allocations when the input pattern does not contain any backslashes. Since many workflow paths may not use regex escapes, returning a Cow<'_, str> allows the function to return a borrowed reference in the common case.

fn unescape_regex_literal(pattern: &str) -> Cow<'_, str> {
    if !pattern.contains('\\') {
        return Cow::Borrowed(pattern);
    }
    let mut out = String::with_capacity(pattern.len());
    let mut chars = pattern.chars();
    while let Some(c) = chars.next() {
        if c == '\\' {
            if let Some(next) = chars.next() {
                out.push(next);
            } else {
                out.push(c);
            }
        } else {
            out.push(c);
        }
    }
    Cow::Owned(out)
}

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 23, 2026
edited
Loading

Greptile Summary

This PR fixes attestation verification failures for aqua registry packages (e.g. updatecli) whose signer_workflow field is stored as a regex pattern (\.github/workflows/release\.yaml) rather than a plain path. The fix introduces unescape_regex_literal — with a zero-allocation fast path via Cow::Borrowed — and applies it before passing the value to verify_attestation, which uses str::contains() internally. The previous comment requesting unit tests has been addressed with seven focused test cases covering the fast path, the primary use-case, escaped backslash, trailing backslash, and empty string.

Confidence Score: 5/5

Safe to merge — the fix is narrowly scoped, correctness is confirmed by the new tests, and there are no P0/P1 findings.

The change is a targeted bug fix with a well-reasoned implementation (Cow fast path, correct trailing-backslash handling), comprehensive unit tests that cover all edge cases, and no introduced regressions. The only outstanding concern (raw regex form stored in SecurityFeature) was already flagged as a P2 in a prior review comment and is not a blocker.

No files require special attention.

Important Files Changed

Filename Overview
src/backend/aqua.rs Adds unescape_regex_literal to strip regex metachar escapes before passing signer_workflow to str::contains()-based attestation verification; includes comprehensive unit tests

Sequence Diagram

sequenceDiagram
    participant Aqua Registry
    participant AquaBackend
    participant unescape_regex_literal
    participant verify_attestation

    Aqua Registry->>AquaBackend: signer_workflow = "\.github/workflows/release\.yaml" (regex form)
    AquaBackend->>unescape_regex_literal: pattern = "\.github/workflows/release\.yaml"
    Note over unescape_regex_literal: Fast path: no backslash → Cow::Borrowed<br/>Slow path: strip backslashes → Cow::Owned
    unescape_regex_literal-->>AquaBackend: ".github/workflows/release.yaml" (plain string)
    AquaBackend->>verify_attestation: signer_workflow = ".github/workflows/release.yaml"
    Note over verify_attestation: Uses str::contains(), not regex
    verify_attestation-->>AquaBackend: Ok(true) / Err(...)
Loading

Reviews (3): Last reviewed commit: "fix - be able to work with regex in atte..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Apr 23, 2026
View reviewed changes
Comment thread src/backend/aqua.rs Outdated
@monotek monotek force-pushed the be-able-to-use-regex-in-aqua-registry-attestation branch from ef73dfa to 7ca6846 Compare April 23, 2026 18:36
@monotek monotek force-pushed the be-able-to-use-regex-in-aqua-registry-attestation branch from 7ca6846 to 9517160 Compare April 23, 2026 18:49
@monotek monotek marked this pull request as ready for review April 23, 2026 19:12
@jdx jdx merged commit 21bd622 into jdx:main Apr 23, 2026
34 checks passed
@mise-en-dev mise-en-dev mentioned this pull request Apr 23, 2026
Merged
mise-en-dev added a commit that referenced this pull request Apr 24, 2026
@mise-en-dev
chore: release 2026.4.20 (#9311)
7046e7d 
### 🐛 Bug Fixes

- **(config)** resolve relative path: tool versions against config root
by @jdx in [#9320](#9320)
- **(lock)** resolve @latest and prune poisoned lockfile entries by @jdx
in [#9321](#9321)
- fix - be able to work with regex in attestation check by @monotek in
[#9327](#9327)

### 🚜 Refactor

- **(aqua)** bake aqua registry from merged yaml by @risu729 in
[#9043](#9043)

### 📚 Documentation

- add cross-site announcement banner by @jdx in
[#9326](#9326)
- keep banner height in sync via ResizeObserver by @jdx in
[#9330](#9330)
- respect banner expires field by @jdx in
[#9334](#9334)

### 📦️ Dependency Updates

- bump communique to 1.0.2 by @jdx in
[#9313](#9313)
- bump communique to 1.0.3 by @jdx in
[#9332](#9332)
- update actions/setup-node digest to 48b55a0 by @renovate[bot] in
[#9339](#9339)
- update ghcr.io/jdx/mise:alpine docker digest to a92efa5 by
@renovate[bot] in [#9340](#9340)
- update ghcr.io/jdx/mise:rpm docker digest to 5c24f69 by @renovate[bot]
in [#9343](#9343)
- update rust docker digest to e4f09e8 by @renovate[bot] in
[#9345](#9345)
- update rui314/setup-mold digest to 9c9c13b by @renovate[bot] in
[#9344](#9344)
- update ghcr.io/jdx/mise:deb docker digest to a3afe3e by @renovate[bot]
in [#9342](#9342)
- update ghcr.io/jdx/mise:copr docker digest to 4098d5a by
@renovate[bot] in [#9341](#9341)
- update taiki-e/install-action digest to 74e87cb by @renovate[bot] in
[#9346](#9346)

### Chore

- **(ci)** remove cargo-vendor install from ppa publish by @jdx in
[#9312](#9312)
- **(release)** publish snap to stable channel by @jdx in
[#9318](#9318)
- remove FUNDING.yml in favor of jdx/.github default by @jdx in
[#9331](#9331)

## 📦 Aqua Registry

Updated [aqua-registry](https://github.com/aquaproj/aqua-registry):
[v4.492.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.492.0)
->
[v4.498.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.498.0).

Included aqua-registry releases:

-
[v4.493.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.493.0)
-
[v4.494.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.494.0)
-
[v4.494.1](https://github.com/aquaproj/aqua-registry/releases/tag/v4.494.1)
-
[v4.495.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.495.0)
-
[v4.496.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.496.0)
-
[v4.497.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.497.0)
-
[v4.498.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.498.0)
@BrewTestBot BrewTestBot mentioned this pull request Apr 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@monotek @jdx