-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error uploading artifact to container registry when using Google Artifact Registry #73
Comments
@capri-xiyue We have done some testing w/ Google Artifact Registry (here's a sample run you can look at). I suspect that you are correct -- the underlying issue is probably auth related. The one difference I see between your workflow and my sample is that you are using the |
@bdehamer |
@bdehamer
But I have some questions, looks like it will generate 5 images for one run. Could you explain what each image is for? |
@capri-xiyue I think I know why this was failing for you before adding the I assume you're talking about the the 5 entries you see if you do something like the following:
or something similar in the Google Cloud Console: What you're seeing here are not 5 images, but rather 5 different manifests which have been stored in the repository. Only one of these actually represents your image, but let's walk through each of them:
|
Regarding the original error you reported . . .
I'm pretty sure that this is a bug in the When you add the When Currently, the We simply need to update our code to identify |
Thanks for the details! Curious in such CUJ, do you know how does https://cli.github.com/manual/gh_attestation_verify works here? |
When using the The
|
I think you are using the attestation in the github api when you specify the |
@capri-xiyue we may expand the A feature we're currently working on is to update the Sigstore policy-controller with support for attestation bundles. This feature would work with attestations stored in the container registry and allow you to write k8s policies preventing any non-attested images from being deployed. Bottom line: there is no use case at the moment which takes advantage of registry-hosted attestations, but we're working on a few things which will leverage this capability in the future. |
Thanks for the all these details!!! |
Just published v1.1.2 of the action which should address the original issue you were seeing when NOT using the |
Does
actions/attest-build-provenance@v1
support Google Artifact Registry?The build-push step successfully pushed image to Google Artifact Registry with this workflow at
Build the integration test server container and push to the registry
. It's failing at the attestation step withError: OCIError: Error uploading artifact to container registry Error: Error fetching https://us-central1-docker.pkg.dev/v2/<repoA>/<imageA>/manifests/sha256:xxxxxxx - expected 200, received 404
Here's my job step.
Looks like
actions/attest-build-provenance@v1
doesn't use the auth I provided in previous step automatically and it doesn't expose a way to configure the auth needed for Google Artifact Registry. The previous steppush
which push the image to the Google Artifact Registry works, so I'm pretty sure I'm providing the correct auth for Google Artifact Registry.At the same time, I also run
curl -H "Authorization: Bearer $(gcloud auth print-access-token)" https://us-central1-docker.pkg.dev/v2/<repoA>/<imageA>/manifests/sha256:xxxxxxx
for the url throw in the error messageError fetching https://us-central1-docker.pkg.dev/v2/<repoA>/<imageA>/manifests/sha256:xxxxxxx - expected 200, received 404
, and the curl works which shows thehttps://us-central1-docker.pkg.dev/v2/<repoA>/<imageA>/manifests/sha256:xxxxxxx
is a valid url.Thank you for your help!
The text was updated successfully, but these errors were encountered: