fix(controlplane): allow workflow-scoped API tokens in find-or-create (#3123)

migmartri · web-flow · commit c175efb8b592 · 2026-05-18T13:51:26.000+02:00
diff --git a/app/controlplane/internal/service/attestation.go b/app/controlplane/internal/service/attestation.go
@@ -757,8 +757,8 @@ func (s *AttestationService) FindOrCreateWorkflow(ctx context.Context, req *cpAP
 		return nil, errors.NotFound("not found", "neither robot account nor API token found")
 	}
 
-	// Workflow-scoped API tokens cannot create or look up other workflows.
-	if token := entities.CurrentAPIToken(ctx); token != nil && token.WorkflowID != nil {
+	// Workflow-scoped API tokens may only target their own workflow.
+	if token := entities.CurrentAPIToken(ctx); token != nil && token.WorkflowName != nil && *token.WorkflowName != req.GetWorkflowName() {
 		return nil, errors.Forbidden("forbidden", "API token is workflow-scoped and cannot create or look up other workflows")
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -757,8 +757,8 @@ func (s AttestationService) FindOrCreateWorkflow(ctx context.Context, req cpAP`
`757`	`757`	`return nil, errors.NotFound("not found", "neither robot account nor API token found")`
`758`	`758`	`}`
`759`	`759`
`760`		`- // Workflow-scoped API tokens cannot create or look up other workflows.`
`761`		`- if token := entities.CurrentAPIToken(ctx); token != nil && token.WorkflowID != nil {`
	`760`	`+ // Workflow-scoped API tokens may only target their own workflow.`
	`761`	`+ if token := entities.CurrentAPIToken(ctx); token != nil && token.WorkflowName != nil && *token.WorkflowName != req.GetWorkflowName() {`
`762`	`762`	`return nil, errors.Forbidden("forbidden", "API token is workflow-scoped and cannot create or look up other workflows")`
`763`	`763`	`}`
`764`	`764`