Imposter commit failure on existing commit #1367
Comments
|
Hmm, there seems to be a timing issue around new releases and when the dependency update tool (observed with both dependabot and Renovate) sends you a PR, vs when the GitHub APIs reflect the commit state. If I run the commit analysis now, I'm getting all green checks. |
|
The timing has to do with limitations with how our webapp can check for "imposter" commits. There was a ~15 hour gap between when the v3.25.2 release was cut (Apr 22 1:35 PM PDT) and the commit was merged back into main via a PR. You merged konstruktoid/ansible-role-docker-rootless#342 in that window, so our detection was flawed. The linked PR (ossf/scorecard-webapp#608) will fix the issue from happening again after I deploy it to our webapp. No change is required on your end. |
|
Hi @spencerschrock , we had a similar issue after the renovate bot updated actions/upload-artifact to |
For whatever reason the new version is not being picked up as legitimate. I'll be following ossf/scorecard-action#1367 to watch for any updates on this.
For whatever reason the new version is not being picked up as legitimate. I'll be following ossf/scorecard-action#1367 to watch for any updates on this.
Yep. We are limited by the GitHub API for determining if a commit belongs to a repository. Our simplistic implementation currently only checks the This issue pops up every now and again, and we usually just add a new branch to check instead of coming up with a better solution, but this is starting to become unwieldy. In the short term, is there anything stopping you from moving to v4.4.0? At the time, our |
#2573 reverts upload-artifact update due to [scorecards github action failure](https://github.com/google/osv.dev/actions/runs/10714700617/job/29708828829). Attempt to update the version to `v4.4.0` following suggestions from [scorecard](ossf/scorecard-action#1367 (comment))
Updated the version to v4.4.0, it works for us. Thanks Spencer! |
|
I opened ossf/scorecard-webapp#682 to hopefully fix this issue and prevent it in the future. |
Multiple workflows fail due to
workflow verification failed: imposter commit, but the imposter commit does actually exist in the repository.imposter commit: 8f596b4ae3cb3c588a5c46780b86dd53fef16c52 does not belong to github/codeql-action/upload-sarif-> github/codeql-action@8f596b42024/04/23 10:43:31 error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: imposter commit: 8f596b4ae3cb3c588a5c46780b86dd53fef16c52 does not belong to github/codeql-action/upload-sarif, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."} 2024/04/23 10:43:31 retrying in 1s... 2024/04/23 10:43:35 error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: imposter commit: 8f596b4ae3cb3c588a5c46780b86dd53fef16c52 does not belong to github/codeql-action/upload-sarif, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."} 2024/04/23 10:43:35 retrying in 3s... 2024/04/23 10:43:40 error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: imposter commit: 8f596b4ae3cb3c588a5c46780b86dd53fef16c52 does not belong to github/codeql-action/upload-sarif, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."} 2024/04/23 10:43:40 retrying in 10s... 2024/04/23 10:43:50 error processing signature: error sending scorecard results to webapp: http response 400, status: 400 Bad Request, error: {"code":400,"message":"workflow verification failed: imposter commit: 8f596b4ae3cb3c588a5c46780b86dd53fef16c52 does not belong to github/codeql-action/upload-sarif, see https://github.com/ossf/scorecard-action#workflow-restrictions for details."}https://github.com/konstruktoid/ansible-role-docker-rootless/actions/runs/8799059669/job/24147300773#step:6:1259
https://github.com/konstruktoid/ansible-role-hardening/actions/runs/8796978115/job/24140893877#step:6:1372
https://github.com/konstruktoid/ssh-moduli/actions/runs/8797089279/job/24141235664#step:6:1213
The text was updated successfully, but these errors were encountered: