chainloop-dev · Piskoo · Dec 22, 2025 · jiparis · Dec 22, 2025
diff --git a/app/cli/pkg/action/action.go b/app/cli/pkg/action/action.go
@@ -24,6 +24,7 @@ import (
 
 	pb "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/chainloop-dev/chainloop/pkg/attestation/crafter"
+	clientAPI "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1"
 	"github.com/chainloop-dev/chainloop/pkg/attestation/crafter/statemanager/filesystem"
 	"github.com/chainloop-dev/chainloop/pkg/attestation/crafter/statemanager/remote"
 	"github.com/chainloop-dev/chainloop/pkg/casclient"
@@ -100,7 +101,7 @@ func newCrafter(stateOpts *newCrafterStateOpts, conn *grpc.ClientConn, opts ...c
 }
 
 // getCASBackend tries to get CAS upload credentials and set up a CAS client
-func getCASBackend(ctx context.Context, client pb.AttestationServiceClient, workflowRunID, casCAPath, casURI string, casConnectionInsecure bool, logger zerolog.Logger, casBackend *casclient.CASBackend) (func() error, error) {
+func getCASBackend(ctx context.Context, client pb.AttestationServiceClient, workflowRunID, casCAPath, casURI string, casConnectionInsecure bool, logger zerolog.Logger, casBackend *casclient.CASBackend, casBackendInfo **clientAPI.Attestation_CASBackend) (func() error, error) {
 	credsResp, err := client.GetUploadCreds(ctx, &pb.AttestationServiceGetUploadCredsRequest{
 		WorkflowRunId: workflowRunID,
 	})
@@ -122,6 +123,14 @@ func getCASBackend(ctx context.Context, client pb.AttestationServiceClient, work
 		return nil, fmt.Errorf("no backend found in upload creds")
 	}
 
+	if casBackendInfo != nil {
+		*casBackendInfo = &clientAPI.Attestation_CASBackend{
+			CasBackendId:   backend.Id,
+			CasBackendName: backend.Name,
+			Fallback:       backend.Fallback,
+		}
+	}
+
 	casBackend.Name = backend.Provider
 	if backend.GetLimits() != nil {
 		casBackend.MaxSize = backend.GetLimits().MaxBytes

diff --git a/app/cli/pkg/action/attestation_add.go b/app/cli/pkg/action/attestation_add.go
@@ -99,7 +99,7 @@ func (action *AttestationAdd) Run(ctx context.Context, attestationID, materialNa
 	if !crafter.CraftingState.GetDryRun() {
 		client := pb.NewAttestationServiceClient(action.CPConnection)
 		workflowRunID := crafter.CraftingState.GetAttestation().GetWorkflow().GetWorkflowRunId()
-		connectionCloserFn, getCASBackendErr := getCASBackend(ctx, client, workflowRunID, action.casCAPath, action.casURI, action.connectionInsecure, action.Logger, casBackend)
+		connectionCloserFn, getCASBackendErr := getCASBackend(ctx, client, workflowRunID, action.casCAPath, action.casURI, action.connectionInsecure, action.Logger, casBackend, nil)
 		if getCASBackendErr != nil {
 			return nil, fmt.Errorf("failed to get CAS backend: %w", getCASBackendErr)
 		}

diff --git a/app/cli/pkg/action/attestation_init.go b/app/cli/pkg/action/attestation_init.go
@@ -231,8 +231,9 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 
 	// Get CAS credentials for PR metadata upload
 	var casBackend = &casclient.CASBackend{Name: "not-set"}
+	var casBackendInfo *clientAPI.Attestation_CASBackend
 	if !action.dryRun && attestationID != "" {
-		connectionCloserFn, err := getCASBackend(ctx, client, attestationID, action.casCAPath, action.casURI, action.connectionInsecure, action.Logger, casBackend)
+		connectionCloserFn, err := getCASBackend(ctx, client, attestationID, action.casCAPath, action.casURI, action.connectionInsecure, action.Logger, casBackend, &casBackendInfo)
 		if err != nil {
 			// We don't want to fail the attestation initialization if CAS setup fails, it's a best-effort feature for PR/MR metadata
 			action.Logger.Warn().Err(err).Msg("unexpected error getting CAS backend")
@@ -275,7 +276,8 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 			TimestampAuthorityURL: timestampAuthorityURL,
 			SigningCAName:         signingCAName,
 		},
-		Auth: authInfo,
+		Auth:       authInfo,
+		CASBackend: casBackendInfo,
 	}
 
 	if err := action.c.Init(ctx, initOpts); err != nil {

diff --git a/app/controlplane/api/controlplane/v1/response_messages.pb.go b/app/controlplane/api/controlplane/v1/response_messages.pb.go
diff --git a/app/controlplane/api/controlplane/v1/response_messages.proto b/app/controlplane/api/controlplane/v1/response_messages.proto
@@ -312,6 +312,8 @@ message CASBackendItem {
   // Error message if validation failed
   optional string validation_error = 12;
   google.protobuf.Timestamp updated_at = 13;
+  // Wether it's the fallback backend in the organization
+  bool fallback = 14;
 
   message Limits {
     // Max number of bytes allowed to be stored in this backend

diff --git a/app/controlplane/api/gen/frontend/attestation/v1/crafting_state.ts b/app/controlplane/api/gen/frontend/attestation/v1/crafting_state.ts
diff --git a/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts b/app/controlplane/api/gen/frontend/controlplane/v1/response_messages.ts
diff --git a/app/controlplane/api/gen/jsonschema/attestation.v1.Attestation.CASBackend.jsonschema.json b/app/controlplane/api/gen/jsonschema/attestation.v1.Attestation.CASBackend.jsonschema.json