From 59309c8cd03ad948410f323d40b810a514fc9dab Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Fri, 22 May 2026 18:51:25 +0200
Subject: [PATCH 1/3] feat(dagger): add enterprise mode for proprietary CLI
 image

Add --enterprise and --cli-version optional parameters to the Dagger
module constructor. When enterprise mode is enabled, the module uses
ghcr.io/chainloop-dev/platform/cli instead of the OSS image. The bump
script now fetches the platform version from the infoz endpoint.

Assisted-by: Claude Code
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7
---
 .../utils/bump-chart-and-dagger-version.sh    |  6 +++
 extras/dagger/main.go                         | 46 +++++++++++++++----
 2 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/utils/bump-chart-and-dagger-version.sh b/.github/workflows/utils/bump-chart-and-dagger-version.sh
index 0f91c512f..a9c40547a 100755
--- a/.github/workflows/utils/bump-chart-and-dagger-version.sh
+++ b/.github/workflows/utils/bump-chart-and-dagger-version.sh
@@ -53,3 +53,9 @@ sed -i "s/tag: .*/tag: \"${semVer}\"/g" "${values_yaml}"
 ## Update Dagger version
 sed -i "s/chainloopVersion = \"v.*\"/chainloopVersion = \"${semVer}\"/" "${dagger_main}"
 
+## Update platform (enterprise) CLI version from infoz endpoint
+platform_version=$(curl -sf https://api.app.chainloop.dev/infoz | jq -r '.version')
+if [[ -n "${platform_version}" && "${platform_version}" != "null" ]]; then
+    sed -i "s/platformVersion  = \"v.*\"/platformVersion  = \"${platform_version}\"/" "${dagger_main}"
+fi
+
diff --git a/extras/dagger/main.go b/extras/dagger/main.go
index a33e55c23..58f335757 100644
--- a/extras/dagger/main.go
+++ b/extras/dagger/main.go
@@ -11,6 +11,7 @@ import (
 
 const (
 	chainloopVersion = "v1.98.4"
+	platformVersion  = "v1.77.8"
 )
 
 var execOpts = dagger.ContainerWithExecOpts{
@@ -20,6 +21,25 @@ var execOpts = dagger.ContainerWithExecOpts{
 type Chainloop struct {
 	// +private
 	Instance InstanceInfo
+	// +private
+	Enterprise bool
+	// +private
+	CLIVersion string
+}
+
+// New creates a new Chainloop module client.
+func New(
+	// Use the enterprise CLI image (ghcr.io/chainloop-dev/platform/cli)
+	// +optional
+	enterprise bool,
+	// Pin a specific CLI version (overrides the built-in default)
+	// +optional
+	cliVersion string,
+) *Chainloop {
+	return &Chainloop{
+		Enterprise: enterprise,
+		CLIVersion: cliVersion,
+	}
 }
 
 // A Chainloop attestation
@@ -515,13 +535,23 @@ func (att *Attestation) Debug() *dagger.Container {
 	return att.Container(0).Terminal()
 }
 
-func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI *ParentCIContext, githubEventFile *dagger.File) *dagger.Container {
+func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI *ParentCIContext, githubEventFile *dagger.File, enterprise bool, cliVersionOverride string) *dagger.Container {
+	image := "ghcr.io/chainloop-dev/chainloop/cli"
+	version := chainloopVersion
+	if enterprise {
+		image = "ghcr.io/chainloop-dev/platform/cli"
+		version = platformVersion
+	}
+	if cliVersionOverride != "" {
+		version = cliVersionOverride
+	}
+
 	ctr := dag.Container().
-		From(fmt.Sprintf("ghcr.io/chainloop-dev/chainloop/cli:%s", chainloopVersion)).
-		WithEntrypoint([]string{"/chainloop"}). // Be explicit to prepare for possible API change
-		WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", chainloopVersion).
-		WithUser("").                                                                                     // Our images come with pre-defined user set, so we need to reset it
-		WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Cache TTL
+		From(fmt.Sprintf("%s:%s", image, version)).
+		WithEntrypoint([]string{"/chainloop"}).
+		WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", version).
+		WithUser("").
+		WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String())
 
 	// Inject parent CI context if provided
 	if parentCI != nil {
@@ -631,7 +661,7 @@ func (att *Attestation) Container(
 	// +default=0
 	ttl int,
 ) *dagger.Container {
-	ctr := cliContainer(ttl, att.Token, att.Client.Instance, att.parentCIContext, att.githubEventFile)
+	ctr := cliContainer(ttl, att.Token, att.Client.Instance, att.parentCIContext, att.githubEventFile, att.Client.Enterprise, att.Client.CLIVersion)
 	if att.repository != nil {
 		ctr = ctr.WithDirectory(".", att.repository)
 	}
@@ -778,7 +808,7 @@ func (m *Chainloop) WorkflowCreate(
 	// +optional
 	skipIfExists bool,
 ) (string, error) {
-	return cliContainer(0, token, m.Instance, nil, nil).
+	return cliContainer(0, token, m.Instance, nil, nil, m.Enterprise, m.CLIVersion).
 		WithExec([]string{
 			"workflow", "create",
 			"--name", name,

From 3358ed50cd5fe6ce08a14afd228c42a7852f50b4 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Fri, 22 May 2026 18:54:33 +0200
Subject: [PATCH 2/3] restore comments

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7
---
 extras/dagger/main.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/extras/dagger/main.go b/extras/dagger/main.go
index 58f335757..ea53b614d 100644
--- a/extras/dagger/main.go
+++ b/extras/dagger/main.go
@@ -548,10 +548,10 @@ func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI
 
 	ctr := dag.Container().
 		From(fmt.Sprintf("%s:%s", image, version)).
-		WithEntrypoint([]string{"/chainloop"}).
+		WithEntrypoint([]string{"/chainloop"}). // Be explicit to prerare for possible API change
 		WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", version).
-		WithUser("").
-		WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String())
+		WithUser("").                                                                                     // Our images come with pre-defined user set, so we need to reset it
+		WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Cache TTL
 
 	// Inject parent CI context if provided
 	if parentCI != nil {

From 324a6374be211a072fa36fea24a0923d086ded02 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Fri, 22 May 2026 18:57:27 +0200
Subject: [PATCH 3/3] fix typo

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Chainloop-Trace-Sessions: 8a5a6956-cc02-47f6-9366-bb732b59ecf7
---
 extras/dagger/main.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extras/dagger/main.go b/extras/dagger/main.go
index ea53b614d..7c4ac8cda 100644
--- a/extras/dagger/main.go
+++ b/extras/dagger/main.go
@@ -548,7 +548,7 @@ func cliContainer(ttl int, token *dagger.Secret, instance InstanceInfo, parentCI
 
 	ctr := dag.Container().
 		From(fmt.Sprintf("%s:%s", image, version)).
-		WithEntrypoint([]string{"/chainloop"}). // Be explicit to prerare for possible API change
+		WithEntrypoint([]string{"/chainloop"}). // Be explicit to prepare for possible API change
 		WithEnvVariable("CHAINLOOP_DAGGER_CLIENT", version).
 		WithUser("").                                                                                     // Our images come with pre-defined user set, so we need to reset it
 		WithEnvVariable("DAGGER_CACHE_KEY", time.Now().Truncate(time.Duration(ttl)*time.Second).String()) // Cache TTL