fix: store gate property in attestation

app/cli/cmd/workflow_workflow_run_describe.go

@@ -162,8 +162,10 @@ func workflowRunDescribeTableOutput(run *action.WorkflowRunItemFull) error {
 	}
 
 	gt.AppendRow(table.Row{"Policies violation strategy", att.PolicyEvaluationStatus.Strategy})
-	if att.PolicyEvaluationStatus.Strategy == action.PolicyViolationBlockingStrategyEnforced {
+	if att.PolicyEvaluationStatus.Blocked {
 		gt.AppendRow(table.Row{"Run Blocked", att.PolicyEvaluationStatus.Blocked})
+	}
+	if att.PolicyEvaluationStatus.Strategy == action.PolicyViolationBlockingStrategyEnforced {
 		gt.AppendRow(table.Row{"Policy enforcement bypassed", att.PolicyEvaluationStatus.Bypassed})
 	}
 

app/cli/pkg/action/workflow_run_describe.go

@@ -296,6 +296,7 @@ func policyEvaluationPBToAction(in *pb.PolicyEvaluation) *PolicyEvaluation {
 		Violations:      violations,
 		Skipped:         in.Skipped,
 		SkipReasons:     in.SkipReasons,
+		Gate:            in.Gate,
 	}
 }
 

app/controlplane/api/controlplane/v1/response_messages.proto

@@ -161,6 +161,7 @@ message PolicyEvaluation {
   repeated string skip_reasons = 13;
   repeated string requirements = 14;
   PolicyReference group_reference = 15;
+  bool gate = 16;
 }
 
 message PolicyViolation {

app/controlplane/internal/service/attestation.go

@@ -592,6 +592,7 @@ func extractPolicyEvaluations(in map[string][]*chainloop.PolicyEvaluation) map[s
 				Skipped:      ev.Skipped,
 				SkipReasons:  ev.SkipReasons,
 				Requirements: ev.Requirements,
+				Gate:         ev.Gate,
 			}
 
 			if ev.PolicyReference != nil {

pkg/attestation/renderer/chainloop/v02.go

@@ -86,6 +86,7 @@ type PolicyEvaluation struct {
 	SkipReasons             []string                   `json:"skipReasons,omitempty"`
 	GroupReference          *intoto.ResourceDescriptor `json:"groupReference,omitempty"`
 	Requirements            []string                   `json:"requirements,omitempty"`
+	Gate                    bool                       `json:"gate,omitempty"`
 }
 
 type PolicyViolation struct {
@@ -221,14 +222,28 @@ func (r *RendererV02) predicate() (*structpb.Struct, error) {
 		policyCheckBlockingStrategy = PolicyViolationBlockingStrategyEnforced
 	}
 
+	// Determine if the attestation is blocked
+	// An attestation is blocked when:
+	// - any of the policies marked as gate has violations
+	// - or if there are any policy violations and the attestation is configured to be blocked on violations
+	// In all cases, if the bypass flag is set, the attestation is not blocked
+	gated := false
+	for _, eval := range r.att.PolicyEvaluations {
+		if len(eval.Violations) > 0 && eval.Gate {
+			gated = true
+			break
+		}
+	}
+	blocked := !r.att.GetBypassPolicyCheck() && (gated || hasViolations && r.att.GetBlockOnPolicyViolation())
+
 	p := ProvenancePredicateV02{
 		ProvenancePredicateCommon:   predicateCommon(r.builder, r.att),
 		Materials:                   normalizedMaterials,
 		PolicyEvaluations:           policies,
 		PolicyHasViolations:         hasViolations,
 		PolicyCheckBlockingStrategy: policyCheckBlockingStrategy,
 		PolicyBlockBypassEnabled:    r.att.GetBypassPolicyCheck(),
-		PolicyAttBlocked:            hasViolations && r.att.GetBlockOnPolicyViolation() && !r.att.GetBypassPolicyCheck(),
+		PolicyAttBlocked:            blocked,
 		SigningCA:                   r.att.GetSigningOptions().GetSigningCa(),
 		SigningTSA:                  r.att.GetSigningOptions().GetTimestampAuthorityUrl(),
 	}
@@ -310,6 +325,7 @@ func renderEvaluation(ev *v1.PolicyEvaluation) (*PolicyEvaluation, error) {
 		Skipped:         ev.Skipped,
 		GroupReference:  groupRef,
 		Requirements:    ev.Requirements,
+		Gate:            ev.Gate,
 	}, nil
 }