Remove backward compatibility fallback for missing provenance bundles

[leodido]

Context

After PR #292, we added a backward compatibility fallback to handle artifacts built before provenance bundles were stored externally. This allows builds to succeed even when dependencies don't have .provenance.jsonl files.

Why Remove It

This fallback results in incomplete provenance (missing transitive dependencies). Once all cached artifacts have provenance bundles, we should remove this fallback to ensure provenance completeness.

Removal Criteria

• No "Dependency provenance bundle not found" warnings for 2+ consecutive weeks
• All CI workflows using Leeway v0.15.0-rc5 or later
• Verified: All .tar.gz files in S3 cache have corresponding .provenance.jsonl files
• Monitoring shows zero occurrences of missing provenance bundles

Verification Commands

# Check for artifacts without provenance in S3
aws s3 ls s3://<...>/ --recursive | \
  grep "\.tar\.gz$" | \
  while read -r line; do
    key=$(echo "$line" | awk '{print $4}')
    provenance_key="${key}.provenance.jsonl"
    if ! aws s3 ls "s3://<...>/$provenance_key" &>/dev/null; then
      echo "Missing provenance: $key"
    fi
  done

# Check logs for warnings (should be zero)
kubectl logs -l app=leeway-builder --since=2w | grep "Dependency provenance bundle not found" | wc -l

Implementation

Remove the if errors.Is(err, ErrNoAttestationBundle) block in pkg/leeway/provenance.go:getDependenciesProvenanceBundles() and restore the original error return.

Timeline

Expected removal date: 2025-12-15 (4 weeks after v0.15.0-rc5 deployment)

Related

• PR fix: upload and download provenance bundles in S3 cache #292: Provenance bundle upload/download support
• PR feat!: store in-toto provenance outside tar.gz  #283: Moved provenance outside tar.gz