diff --git a/app/cli/pkg/action/util.go b/app/cli/pkg/action/util.go index ee04e057d..f48d079a7 100644 --- a/app/cli/pkg/action/util.go +++ b/app/cli/pkg/action/util.go @@ -123,11 +123,6 @@ func extractNameFromMetadata(content []byte) (string, error) { if err != nil { return "", err } - case unmarshal.RawFormatCUE: - jsonData, err = unmarshal.LoadJSONBytes(content, ".cue") - if err != nil { - return "", err - } default: return "", fmt.Errorf("unsupported format: %s", format) } diff --git a/app/controlplane/pkg/biz/testdata/contracts/contract.cue b/app/controlplane/pkg/biz/testdata/contracts/contract.cue deleted file mode 100644 index 35b891375..000000000 --- a/app/controlplane/pkg/biz/testdata/contracts/contract.cue +++ /dev/null @@ -1,48 +0,0 @@ -schemaVersion: "v1" -// Arbitrary set of annotations can be added to the contract and will be part of the attestation -annotations: [ - { - name: "version" - value: "oss" // if the value is left empty, it will be required and resolved at attestation time - } -] -// Three required and one optional materials of three different kinds -// The output flag indicates that the material will be part of the attestation subject -materials: [ - // CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest - { - type: "CONTAINER_IMAGE" - name: "skynet-control-plane" - output: true - // Arbitrary annotations can be added to the material - annotations: [ - { - name: "component" - value: "control-plane" - }, - { - // The value can be left empty so it can be provided at attestation time - name: "asset" - }, - ] - }, - // ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS) - {type: "ARTIFACT", name: "rootfs"}, - {type: "ARTIFACT", name: "dockerfile", optional: true}, - // STRING kind materials will be injected as simple keypairs - {type: "STRING", name: "build-ref"}, - // SBOMs will be uploaded to the CAS and referenced in the attestation - // Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - {type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"}, - // CSAF_VEX and OPENVEX are supported - {type: "OPENVEX", name: "disclosure"}, - // And static analysis reports in SARIF format - {type: "SARIF", name: "static-out"}, -] - -// Env vars we want the system to resolve and inject during attestation initialization -// Additional ones can be inherited from the specified runner context below -envAllowList: [ "CUSTOM_VAR"] -// Enforce in what runner context the attestation must happen -// If not specified, the attestation crafting process is allowed to run anywhere -runner: type: "GITHUB_ACTION" diff --git a/app/controlplane/pkg/biz/workflowcontract_integration_test.go b/app/controlplane/pkg/biz/workflowcontract_integration_test.go index d9bbd1e2c..8ebb50792 100644 --- a/app/controlplane/pkg/biz/workflowcontract_integration_test.go +++ b/app/controlplane/pkg/biz/workflowcontract_integration_test.go @@ -349,11 +349,6 @@ func (s *workflowContractIntegrationTestSuite) TestCreateWithCustomContract() { wantErrMsg string format unmarshal.RawFormat }{ - { - name: "from-cue", - contractPath: "testdata/contracts/contract.cue", - format: unmarshal.RawFormatCUE, - }, { name: "from-yaml", contractPath: "testdata/contracts/contract.yaml", diff --git a/app/controlplane/pkg/biz/workflowcontract_test.go b/app/controlplane/pkg/biz/workflowcontract_test.go index 97b27e8a4..2ec8db3b9 100644 --- a/app/controlplane/pkg/biz/workflowcontract_test.go +++ b/app/controlplane/pkg/biz/workflowcontract_test.go @@ -31,10 +31,6 @@ func TestIdentifyAndValidateRawContract(t *testing.T) { wantValidationErr bool wantFormatErr bool }{ - { - filename: "contract.cue", - wantFormat: unmarshal.RawFormatCUE, - }, { filename: "contract.json", wantFormat: unmarshal.RawFormatJSON, diff --git a/app/controlplane/pkg/unmarshal/testdata/contracts/contract.cue b/app/controlplane/pkg/unmarshal/testdata/contracts/contract.cue deleted file mode 100644 index 35b891375..000000000 --- a/app/controlplane/pkg/unmarshal/testdata/contracts/contract.cue +++ /dev/null @@ -1,48 +0,0 @@ -schemaVersion: "v1" -// Arbitrary set of annotations can be added to the contract and will be part of the attestation -annotations: [ - { - name: "version" - value: "oss" // if the value is left empty, it will be required and resolved at attestation time - } -] -// Three required and one optional materials of three different kinds -// The output flag indicates that the material will be part of the attestation subject -materials: [ - // CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest - { - type: "CONTAINER_IMAGE" - name: "skynet-control-plane" - output: true - // Arbitrary annotations can be added to the material - annotations: [ - { - name: "component" - value: "control-plane" - }, - { - // The value can be left empty so it can be provided at attestation time - name: "asset" - }, - ] - }, - // ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS) - {type: "ARTIFACT", name: "rootfs"}, - {type: "ARTIFACT", name: "dockerfile", optional: true}, - // STRING kind materials will be injected as simple keypairs - {type: "STRING", name: "build-ref"}, - // SBOMs will be uploaded to the CAS and referenced in the attestation - // Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - {type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"}, - // CSAF_VEX and OPENVEX are supported - {type: "OPENVEX", name: "disclosure"}, - // And static analysis reports in SARIF format - {type: "SARIF", name: "static-out"}, -] - -// Env vars we want the system to resolve and inject during attestation initialization -// Additional ones can be inherited from the specified runner context below -envAllowList: [ "CUSTOM_VAR"] -// Enforce in what runner context the attestation must happen -// If not specified, the attestation crafting process is allowed to run anywhere -runner: type: "GITHUB_ACTION" diff --git a/app/controlplane/pkg/unmarshal/unmarshal.go b/app/controlplane/pkg/unmarshal/unmarshal.go index cea11baf6..f8589a394 100644 --- a/app/controlplane/pkg/unmarshal/unmarshal.go +++ b/app/controlplane/pkg/unmarshal/unmarshal.go @@ -22,7 +22,6 @@ import ( "buf.build/go/protovalidate" "buf.build/go/protoyaml" - "cuelang.org/go/cue/cuecontext" "google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/proto" "gopkg.in/yaml.v2" @@ -34,9 +33,18 @@ type RawFormat string const ( RawFormatJSON RawFormat = "json" RawFormatYAML RawFormat = "yaml" - RawFormatCUE RawFormat = "cue" + // RawFormatCUE is retained only so contracts already stored with this format + // (and the wire enum) remain valid. CUE is no longer accepted or evaluated: + // evaluating attacker-supplied CUE server-side is an unbounded, uncancellable + // operation and was a DoS vector. New contracts must be JSON or YAML. + RawFormatCUE RawFormat = "cue" ) +// errCUENotSupported is returned wherever a CUE document would previously have +// been compiled and evaluated. CUE support was removed to close the unbounded +// server-side evaluation DoS. +var errCUENotSupported = errors.New("CUE contract format is no longer supported; use JSON or YAML") + // Implements https://pkg.go.dev/entgo.io/ent/schema/field#EnumValues func (RawFormat) Values() (kinds []string) { for _, s := range []RawFormat{RawFormatJSON, RawFormatYAML, RawFormatCUE} { @@ -82,16 +90,7 @@ func FromRaw(body []byte, format RawFormat, out proto.Message, doValidate bool) return fmt.Errorf("error unmarshalling raw message: %w", err) } case RawFormatCUE: - ctx := cuecontext.New() - v := ctx.CompileBytes(body) - jsonRawData, err := v.MarshalJSON() - if err != nil { - return fmt.Errorf("error unmarshalling raw message: %w", err) - } - - if err := jsonOpts.Unmarshal(jsonRawData, out); err != nil { - return fmt.Errorf("error unmarshalling raw message: %w", err) - } + return errCUENotSupported default: return fmt.Errorf("unsupported format: %s", format) } @@ -106,9 +105,10 @@ func FromRaw(body []byte, format RawFormat, out proto.Message, doValidate bool) } // IdentifyFormat does best effort to identify the format of the raw contract -// by going the unmarshalling path in the following order: json, cue, yaml +// by going the unmarshalling path in the following order: json, yaml. // NOTE that we are just validating the format, not the content using regular marshalling -// not even proto marshalling, that comes later once we know the format +// not even proto marshalling, that comes later once we know the format. +// CUE is intentionally not detected: it is no longer a supported contract format. func IdentifyFormat(raw []byte) (RawFormat, error) { // json marshalling first var sink any @@ -116,13 +116,6 @@ func IdentifyFormat(raw []byte) (RawFormat, error) { return RawFormatJSON, nil } - // cue marshalling next - ctx := cuecontext.New() - v := ctx.CompileBytes(raw) - if _, err := v.MarshalJSON(); err == nil { - return RawFormatCUE, nil - } - // yaml marshalling last if err := yaml.Unmarshal(raw, &sink); err == nil { return RawFormatYAML, nil @@ -131,7 +124,7 @@ func IdentifyFormat(raw []byte) (RawFormat, error) { return "", errors.New("format not found") } -// LoadJSONBytes Extracts raw data in JSON format from different sources, i.e cue or yaml files +// LoadJSONBytes Extracts raw data in JSON format from different sources, i.e yaml or json files func LoadJSONBytes(rawData []byte, extension string) ([]byte, error) { var jsonRawData []byte var err error @@ -143,12 +136,7 @@ func LoadJSONBytes(rawData []byte, extension string) ([]byte, error) { return nil, err } case ".cue": - ctx := cuecontext.New() - v := ctx.CompileBytes(rawData) - jsonRawData, err = v.MarshalJSON() - if err != nil { - return nil, err - } + return nil, errCUENotSupported case ".json": jsonRawData = rawData default: diff --git a/app/controlplane/pkg/unmarshal/unmarshal_test.go b/app/controlplane/pkg/unmarshal/unmarshal_test.go index 8d986f0dc..ce61f6032 100644 --- a/app/controlplane/pkg/unmarshal/unmarshal_test.go +++ b/app/controlplane/pkg/unmarshal/unmarshal_test.go @@ -48,15 +48,6 @@ spec: {"name": "b", "type": "ARTIFACT", "group": "choice"} ]} }`) - cueContract := []byte(`apiVersion: "chainloop.dev/v1" -kind: "Contract" -metadata: name: "test-contract" -spec: materials: [ - {name: "a", type: "ARTIFACT", group: "choice"}, - {name: "b", type: "ARTIFACT", group: "choice"}, -] -`) - formats := []struct { name string format RawFormat @@ -64,7 +55,6 @@ spec: materials: [ }{ {"yaml", RawFormatYAML, yamlContract}, {"json", RawFormatJSON, jsonContract}, - {"cue", RawFormatCUE, cueContract}, } t.Run("group round-trips", func(t *testing.T) { @@ -123,10 +113,6 @@ func TestIdentifyFormat(t *testing.T) { wantFormat RawFormat wantErr bool }{ - { - filename: "contract.cue", - wantFormat: RawFormatCUE, - }, { filename: "contract.json", wantFormat: RawFormatJSON, @@ -166,3 +152,27 @@ func TestIdentifyFormat(t *testing.T) { }) } } + +// TestCUEIsRejected locks in the removal of CUE support: the DoS payload from the +// security finding (a tiny CUE document whose evaluation is unbounded) must be +// rejected immediately, without ever being compiled or evaluated. +func TestCUEIsRejected(t *testing.T) { + // ~55-byte CUE bomb: evaluating it used to allocate a multi-million-element list. + cuePayload := []byte("import \"list\"\na: [for x in list.Range(0,1000000,1) {x}]\n") + + t.Run("IdentifyFormat no longer detects CUE", func(t *testing.T) { + _, err := IdentifyFormat(cuePayload) + require.Error(t, err) + }) + + t.Run("FromRaw rejects the CUE format", func(t *testing.T) { + out := &schemav1.CraftingSchemaV2{} + err := FromRaw(cuePayload, RawFormatCUE, out, false) + require.ErrorIs(t, err, errCUENotSupported) + }) + + t.Run("LoadJSONBytes rejects .cue", func(t *testing.T) { + _, err := LoadJSONBytes(cuePayload, ".cue") + require.ErrorIs(t, err, errCUENotSupported) + }) +} diff --git a/docs/examples/contracts/skynet/contract.cue b/docs/examples/contracts/skynet/contract.cue deleted file mode 100644 index cd36e223f..000000000 --- a/docs/examples/contracts/skynet/contract.cue +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: "chainloop.dev/v1" -kind: "Contract" -metadata: { - name: "contract" - description: "Comprehensive contract for Skynet project in CUE format" -} -spec: { - // Arbitrary set of annotations can be added to the contract and will be part of the attestation - annotations: [ - { - name: "version" - value: "oss" // if the value is left empty, it will be required and resolved at attestation time - }, - ] - - // Three required and one optional materials of three different kinds - // The output flag indicates that the material will be part of the attestation subject - materials: [ - // CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest - { - type: "CONTAINER_IMAGE" - name: "skynet-control-plane" - output: true - // Arbitrary annotations can be added to the material - annotations: [ - { - name: "component" - value: "control-plane" - }, - { - // The value can be left empty so it can be provided at attestation time - name: "asset" - }, - ] - }, - // ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS) - {type: "ARTIFACT", name: "rootfs"}, - {type: "ARTIFACT", name: "dockerfile", optional: true}, - // STRING kind materials will be injected as simple keypairs - {type: "STRING", name: "build-ref"}, - // SBOMs will be uploaded to the CAS and referenced in the attestation - // Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported - {type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"}, - // CSAF_VEX and OPENVEX are supported - {type: "OPENVEX", name: "disclosure"}, - // And static analysis reports in SARIF format - {type: "SARIF", name: "static-out"}, - ] - - // Env vars we want the system to resolve and inject during attestation initialization - // Additional ones can be inherited from the specified runner context below - envAllowList: [ "CUSTOM_VAR"] - // Enforce in what runner context the attestation must happen - // If not specified, the attestation crafting process is allowed to run anywhere - runner: type: "GITHUB_ACTION" -} diff --git a/go.mod b/go.mod index 6a42be9d9..264978d75 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,6 @@ go 1.26.4 require ( cloud.google.com/go/secretmanager v1.20.0 code.cloudfoundry.org/bytefmt v0.75.0 - cuelang.org/go v0.16.1 entgo.io/ent v0.14.6 github.com/adrg/xdg v0.5.3 github.com/aws/aws-sdk-go-v2 v1.41.11 @@ -164,7 +163,6 @@ require ( github.com/charmbracelet/lipgloss v0.5.0 // indirect github.com/clipperhouse/uax29/v2 v2.6.0 // indirect github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 // indirect - github.com/cockroachdb/apd/v3 v3.2.1 // indirect github.com/containerd/errdefs v1.0.0 // indirect github.com/containerd/errdefs/pkg v0.3.0 // indirect github.com/containerd/log v0.1.0 // indirect @@ -180,7 +178,6 @@ require ( github.com/dustin/go-humanize v1.0.1 // indirect github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect github.com/ebitengine/purego v0.8.4 // indirect - github.com/emicklei/proto v1.14.3 // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/envoyproxy/go-control-plane/envoy v1.37.0 // indirect github.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect @@ -274,7 +271,6 @@ require ( github.com/pkg/xattr v0.4.12 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect - github.com/protocolbuffers/txtpbfmt v0.0.0-20260217160748-a481f6a22f94 // indirect github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 // indirect github.com/rs/xid v1.6.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect diff --git a/go.sum b/go.sum index b545cf33c..471fb2835 100644 --- a/go.sum +++ b/go.sum @@ -54,10 +54,6 @@ cloud.google.com/go/trace v1.11.7 h1:kDNDX8JkaAG3R2nq1lIdkb7FCSi1rCmsEtKVsty7p+U cloud.google.com/go/trace v1.11.7/go.mod h1:TNn9d5V3fQVf6s4SCveVMIBS2LJUqo73GACmq/Tky0s= code.cloudfoundry.org/bytefmt v0.75.0 h1:iEKNj6o2z+mC+XYCJILDKN89gaYZY2dkj4PzrqegKeM= code.cloudfoundry.org/bytefmt v0.75.0/go.mod h1:XXsjlgeG46nCv0bDGG3atkR+JeLfjQLaYJtiVUIPi10= -cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819 h1:Zh+Ur3OsoWpvALHPLT45nOekHkgOt+IOfutBbPqM17I= -cuelabs.dev/go/oci/ociregistry v0.0.0-20251212221603-3adeb8663819/go.mod h1:WjmQxb+W6nVNCgj8nXrF24lIz95AHwnSl36tpjDZSU8= -cuelang.org/go v0.16.1 h1:iPN1lHZd2J0hjcr8hfq9PnIGk7VfPkKFfxH4de+m9sE= -cuelang.org/go v0.16.1/go.mod h1:/aW3967FeWC5Hc1cDrN4Z4ICVApdMi83wO5L3uF/1hM= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= @@ -277,8 +273,6 @@ github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 h1:aBangftG7EVZoUb69Os8IaYg++6uMOdKK83QtkkvJik= github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2/go.mod h1:qwXFYgsP6T7XnJtbKlf1HP8AjxZZyzxMmc+Lq5GjlU4= -github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= -github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= @@ -369,8 +363,6 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE= github.com/emicklei/go-restful/v3 v3.13.0 h1:C4Bl2xDndpU6nJ4bc1jXd+uTmYPVUwkD6bFY/oTyCes= github.com/emicklei/go-restful/v3 v3.13.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= -github.com/emicklei/proto v1.14.3 h1:zEhlzNkpP8kN6utonKMzlPfIvy82t5Kb9mufaJxSe1Q= -github.com/emicklei/proto v1.14.3/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.6.9/go.mod h1:SBwIajubJHhxtWwsL9s8ss4safvEdbitLhGGK48rN6g= @@ -530,8 +522,6 @@ github.com/go-playground/form/v4 v4.2.1/go.mod h1:q1a2BY+AQUUzhl6xA/6hBetay6dEIh github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8= github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA= github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= -github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI= -github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow= github.com/go-rod/rod v0.116.2 h1:A5t2Ky2A+5eD/ZJQr1EfsQSe5rms5Xof/qj296e+ZqA= github.com/go-rod/rod v0.116.2/go.mod h1:H+CMO9SCNc2TJ2WfrG+pKhITz57uGNYU43qYHh438Mg= github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w= @@ -1101,8 +1091,6 @@ github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4O github.com/prometheus/procfs v0.3.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU= github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc= github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo= -github.com/protocolbuffers/txtpbfmt v0.0.0-20260217160748-a481f6a22f94 h1:2PC6Ql3jipz1KvBlqUHjjk6v4aMwE86mfDu1XMH0LR8= -github.com/protocolbuffers/txtpbfmt v0.0.0-20260217160748-a481f6a22f94/go.mod h1:JSbkp0BviKovYYt9XunS95M3mLPibE9bGg+Y95DsEEY= github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8AOIL7EB/X911+m4EHsnWEHeJ0c+3TTBrg= github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= diff --git a/pkg/attestation/crafter/crafter_test.go b/pkg/attestation/crafter/crafter_test.go index 834fb9d42..1a8feb196 100644 --- a/pkg/attestation/crafter/crafter_test.go +++ b/pkg/attestation/crafter/crafter_test.go @@ -304,11 +304,6 @@ func (s *crafterSuite) TestLoadSchema() { contractPath: "testdata/contracts/empty_github.json", want: want, }, - { - name: "cue", - contractPath: "testdata/contracts/empty_github.cue", - want: want, - }, { name: "unsupported", contractPath: "testdata/contracts/invalid.xml", diff --git a/pkg/attestation/crafter/testdata/contracts/empty_github.cue b/pkg/attestation/crafter/testdata/contracts/empty_github.cue deleted file mode 100644 index 228fbcc78..000000000 --- a/pkg/attestation/crafter/testdata/contracts/empty_github.cue +++ /dev/null @@ -1,2 +0,0 @@ -schemaVersion: "v1" -runner: type: "GITHUB_ACTION"