Conversation
Summary of ChangesHello @risu729, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces support for Snappy compressed bundles, enhancing the client's ability to process various bundle formats. By integrating Snappy decompression, the system can now seamlessly handle bundles delivered with "application/x-snappy" content types, improving compatibility and robustness when fetching attestation data. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds support for handling snappy-compressed sigstore bundles. The implementation correctly identifies compressed bundles by checking the Content-Type header and uses the snap crate to decompress them before parsing. The changes look good, and I have one suggestion to improve the code's readability and efficiency.
There was a problem hiding this comment.
Pull request overview
Adds support for fetching and parsing Sigstore bundles that are Snappy-compressed when downloaded from the GitHub attestations API.
Changes:
- Detect Snappy-compressed bundle responses via
Content-Typeand decompress before JSON parsing. - Add a small helper (
decompress_snappy) for Snappy raw decompression. - Introduce the
snapcrate dependency.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/api.rs |
Detects Snappy bundle responses, decompresses them, and parses JSON into SigstoreBundle. |
Cargo.toml |
Adds the snap dependency required for Snappy decompression. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| fn decompress_snappy(bytes: &[u8]) -> Result<Vec<u8>> { | ||
| let mut decoder = snap::raw::Decoder::new(); | ||
| decoder | ||
| .decompress_vec(bytes) | ||
| .map_err(|e| AttestationError::Api(format!("Snappy decompression failed: {}", e))) | ||
| } |
There was a problem hiding this comment.
decompress_vec will allocate the full uncompressed size declared in the snappy payload. Since this data comes from a remote HTTP response, a malicious/invalid bundle could request an enormous size and cause memory exhaustion. Consider enforcing a maximum allowed decompressed size (and/or maximum response body size) before allocating/decompressing.
There was a problem hiding this comment.
yea but it should be fine in most cases
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
## 🤖 New release * `sigstore-verification`: 0.2.0 -> 0.2.1 (✓ API compatible changes) <details><summary><i><b>Changelog</b></i></summary><p> <blockquote> ## [0.2.1](v0.2.0...v0.2.1) - 2026-02-15 ### Added - support snappy compressed bundles ([#22](#22)) ### Fixed - set github auth token only for api.github.com ([#23](#23)) ### Other - use fine-grained PAT for release-plz ([#21](#21)) - *(deps)* bump sigstore from 0.12 to 0.13 ([#19](#19)) - *(deps)* update rustsec/audit-check action to v2 ([#15](#15)) - add release-plz and cargo-semver-checks ([#18](#18)) - *(deps)* update actions/checkout digest to de0fac2 ([#17](#17)) - *(deps)* update jdx/mise-action digest to 6d1e696 ([#16](#16)) - *(deps)* update jdx/mise-action action to v3 ([#14](#14)) - *(deps)* update actions/checkout action to v6 ([#13](#13)) </blockquote> </p></details> --- This PR was generated with [release-plz](https://github.com/release-plz/release-plz/). Co-authored-by: jdx <216188+jdx@users.noreply.github.com>
2 participants
Fixes jdx/mise#8142
This only fixes
HTTP error: error decoding response body. Even with this change, if the token arg is set, the Azure Blob used to host the attestation returns 401.Uses https://github.com/BurntSushi/rust-snappy