diff --git a/pkg/attestation/crafter/crafter.go b/pkg/attestation/crafter/crafter.go index b55eaca20..f8f6bb8b3 100644 --- a/pkg/attestation/crafter/crafter.go +++ b/pkg/attestation/crafter/crafter.go @@ -321,7 +321,13 @@ func gracefulGitRepoHead(path string) (*HeadCommit, error) { }) if err != nil { - if errors.Is(err, git.ErrRepositoryNotExists) { + // go-git v5.17.0 introduced strict extension validation (go-git/go-git#1861) + // that rejects repos with extensions it doesn't fully support (e.g. worktreeConfig). + // Degrade gracefully instead of failing the attestation. + if errors.Is(err, git.ErrRepositoryNotExists) || + errors.Is(err, git.ErrUnsupportedExtensionRepositoryFormatVersion) || + errors.Is(err, git.ErrUnknownExtension) || + errors.Is(err, git.ErrUnsupportedRepositoryFormatVersion) { return nil, nil } diff --git a/pkg/attestation/crafter/crafter_unit_test.go b/pkg/attestation/crafter/crafter_unit_test.go index bf2b39bc4..1980952f8 100644 --- a/pkg/attestation/crafter/crafter_unit_test.go +++ b/pkg/attestation/crafter/crafter_unit_test.go @@ -152,6 +152,30 @@ func (s *crafterUnitSuite) TestGitRepoHead() { name: "not a repository", wantNoCommit: true, }, + { + name: "repo with unsupported extension degrades gracefully", + repoProvider: func(repoPath string) (*HeadCommit, error) { + // Init a repo and add a worktreeConfig extension to trigger + // go-git's strict extension validation (added in v5.17.0) + if _, err := git.PlainInit(repoPath, false); err != nil { + return nil, err + } + + // Write the extension directly into the git config file + gitConfigPath := filepath.Join(repoPath, ".git", "config") + f, err := os.OpenFile(gitConfigPath, os.O_APPEND|os.O_WRONLY, 0o600) + if err != nil { + return nil, err + } + defer f.Close() + if _, err := f.WriteString("[extensions]\n\tworktreeConfig = true\n"); err != nil { + return nil, err + } + + return nil, nil + }, + wantNoCommit: true, + }, } for _, tc := range testCases {