fix: handle go-git extension validation errors gracefully

go.mod

@@ -353,7 +353,10 @@ require (
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fsouza/fake-gcs-server v1.47.6
-	github.com/go-git/go-git/v5 v5.17.1
+	// Pinned to v5.16.5: v5.17.x has a case-sensitivity bug in extension validation
+	// that breaks PlainOpen on repos using git worktree.
+	// https://github.com/chainloop-dev/chainloop/issues/2966
+	github.com/go-git/go-git/v5 v5.16.5
 	github.com/go-kratos/aegis v0.2.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect

go.sum

@@ -449,8 +449,8 @@ github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
-github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk=
-github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
+github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
+github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=

pkg/attestation/crafter/crafter.go

@@ -312,6 +312,20 @@ type CommitRemote struct {
 // This error is not exposed by go-git
 var errBranchInvalidMerge = errors.New("branch config: invalid merge")
 
+// isGitExtensionError returns true if the error is related to unsupported git
+// repository format extensions (e.g. worktreeConfig). go-git v5.17.0 introduced
+// strict validation that rejects repos with extensions it doesn't support.
+// See https://github.com/go-git/go-git/pull/1861
+func isGitExtensionError(err error) bool {
+	if err == nil {
+		return false
+	}
+	msg := err.Error()
+	return strings.Contains(msg, "does not support extension") ||
+		strings.Contains(msg, "unknown extension") ||
+		strings.Contains(msg, "repositoryformatversion not supported")
+}
+
 // Returns the current directory git commit hash if possible
 // If we are not in a git repo it will return an empty string
 func gracefulGitRepoHead(path string) (*HeadCommit, error) {
@@ -321,7 +335,8 @@ func gracefulGitRepoHead(path string) (*HeadCommit, error) {
 	})
 
 	if err != nil {
-		if errors.Is(err, git.ErrRepositoryNotExists) {
+		if errors.Is(err, git.ErrRepositoryNotExists) ||
+			isGitExtensionError(err) {
 			return nil, nil
 		}
 

pkg/attestation/crafter/crafter_unit_test.go

@@ -152,6 +152,30 @@ func (s *crafterUnitSuite) TestGitRepoHead() {
 			name:         "not a repository",
 			wantNoCommit: true,
 		},
+		{
+			name: "repo with unsupported extension degrades gracefully",
+			repoProvider: func(repoPath string) (*HeadCommit, error) {
+				// Init a repo and add a worktreeConfig extension to trigger
+				// go-git's strict extension validation (added in v5.17.0)
+				if _, err := git.PlainInit(repoPath, false); err != nil {
+					return nil, err
+				}
+
+				// Write the extension directly into the git config file
+				gitConfigPath := filepath.Join(repoPath, ".git", "config")
+				f, err := os.OpenFile(gitConfigPath, os.O_APPEND|os.O_WRONLY, 0o600)
+				if err != nil {
+					return nil, err
+				}
+				defer f.Close()
+				if _, err := f.WriteString("[extensions]\n\tworktreeConfig = true\n"); err != nil {
+					return nil, err
+				}
+
+				return nil, nil
+			},
+			wantNoCommit: true,
+		},
 	}
 
 	for _, tc := range testCases {