Fix publish pipeline: --package flag ignored by sequencer #109
Description
Problem
When publishing an artifact with auths artifact publish --package npm:react@18.3.0, the --package flag value is not stored in artifact_attestations.package_name. Instead, the raw filename from the attestation JSON body (e.g., react-18.3.0.tar.gz) is stored.
Root cause
The publish handler in routes/artifacts.rs correctly reads --package from the request body (line 109-113) and passes it to the response. But when routing through the sequencer (line 120-154), the package_name is NOT included in the EntryContent. The sequencer's attest handler (sequencer/mod.rs:958-966) extracts package_name from attestation_value["payload"]["name"] — the raw filename.
Current workaround
We patched this by injecting _package_name into the attestation value before passing to the sequencer:
// routes/artifacts.rs
if let Some(ref pkg) = package_name {
if let Some(obj) = attest_value.as_object_mut() {
obj.insert("_package_name".to_string(), serde_json::Value::String(pkg.clone()));
}
}And the sequencer prefers _package_name over payload.name:
// sequencer/mod.rs
let package_name = attestation_value
.get("_package_name")
.and_then(|n| n.as_str())
.filter(|s| !s.is_empty())
.or_else(|| attestation_value.get("payload").and_then(|p| p.get("name")).and_then(|n| n.as_str()))This works but is a band-aid.
Proper fix
The attestation JSON payload should carry the ecosystem-qualified package name from the CLI, not the raw filename. The fix should flow through:
- CLI
artifact sign— the signed attestation payload should include the--packagename if provided - CLI
artifact publish— should not need to passpackage_nameseparately; it should already be in the attestation - Sequencer — should read from the standard attestation payload field, not a side-channel
_package_name
Files
| File | Current behavior | Expected |
|---|---|---|
auths/crates/auths-cli/src/commands/artifact/sign.rs |
Attestation payload name = filename |
Should accept --package and include it |
auths/crates/auths-cli/src/commands/artifact/publish.rs |
Sends package_name as separate field |
Should be in the attestation already |
auths-cloud/.../routes/artifacts.rs |
Injects _package_name band-aid |
Remove band-aid, read from attestation |
auths-cloud/.../sequencer/mod.rs |
Prefers _package_name over payload.name |
Read from standard field |
Impact
Without the fix, every artifact published without the workaround creates entries with raw filenames instead of ecosystem-qualified names, breaking the versions/health/badge endpoints.