Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Pinning slsa-github-generator to a commit doesn't work #722

Open
sethmlarson opened this issue Aug 19, 2022 · 1 comment
Open

[bug] Pinning slsa-github-generator to a commit doesn't work #722

sethmlarson opened this issue Aug 19, 2022 · 1 comment
Labels
area:generic Issue with the generic generator type:bug Something isn't working

Comments

@sethmlarson
Copy link
Contributor

sethmlarson commented Aug 19, 2022
edited
Loading

Describe the bug

When the reusable workflow generator_generic_slsa3.yml is pinned to a commit (as is recommended by Scorecard) it fails with the following message:

Run ./.github/actions/generate-builder/generate-builder.sh
  ./.github/actions/generate-builder/generate-builder.sh
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd64
    BUILDER_DIR: internal/builders/generic
    BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
    BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64
    VERIFIER_REPOSITORY: slsa-framework/slsa-verifier
    VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64
    VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
    VERIFIER_RELEASE: v1.1.1
    COMPILE_BUILDER: false
    BUILDER_REF: bdd89e60dc5387d8f819bebc702987956bcd4913
    GH_TOKEN: ***
Fetching the builder with ref: bdd89e60dc5387d8f819bebc702987956bcd4913
Invalid ref: bdd89e60dc5387d8f819bebc702987956bcd4913. Expected ref of the form refs/tags/vX.Y.Z

See: https://github.com/sethmlarson/python-slsa-release-test/runs/7911558087?check_suite_focus=true

To Reproduce

  • Pin slsa-github-generator workflow to a commit.
  • Run a release
  • See the failure

Expected behavior

Pinning workflow to a commit instead of a tag works as expected.

Additional context

Related and unfortunately in direct contention with: ossf/scorecard#2174
@sethmlarson sethmlarson added status:triage Issue that has not been triaged type:bug Something isn't working labels Aug 19, 2022
@sethmlarson sethmlarson mentioned this issue Aug 19, 2022
Open
@laurentsimon
Copy link
Collaborator

laurentsimon commented Aug 19, 2022
edited
Loading

This is by "design" (see slsa-framework/slsa-verifier#12). We want to support it but we need GH support to add branch information within the OIDC token. So this is on our radar. Thanks for the reminder!

Fyi @josepalafox

@ianlewis ianlewis added area:generic Issue with the generic generator and removed status:triage Issue that has not been triaged labels Aug 30, 2022
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Jan 5, 2023
Merged
suzuki-shunsuke added a commit to aquaproj/example-go-slsa-provenance that referenced this issue Jan 5, 2023
@suzuki-shunsuke
style: add an issue link
313fb4c 
slsa-framework/slsa-github-generator#722
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Jan 5, 2023
Merged
suzuki-shunsuke added a commit to aquaproj/registry-tool that referenced this issue Jan 6, 2023
@suzuki-shunsuke
ci: stop pinning slsa-github-generator
44b6fff 
slsa-framework/slsa-github-generator#722
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Jan 6, 2023
Merged
suzuki-shunsuke added a commit to aquaproj/registry-tool that referenced this issue Jan 6, 2023
@suzuki-shunsuke
ci: stop pinning slsa-github-generator
217d855 
slsa-framework/slsa-github-generator#722
andros21 added a commit to andros21/rustracer that referenced this issue Dec 31, 2023
@andros21
chore(cd.yml): stop pinning slsa-github-generator to commit
00d13e9 
using latest tag instead

see https://github.com/andros21/rustracer/actions/runs/7370799248/job/20057532474
During provenance/generator is visible something like
```console
[...]
Fetching the builder with ref: 07e64b653f10a80b6510f4568f685f8b7b9ea830
Invalid ref: 07e64b653f10a80b6510f4568f685f8b7b9ea830. Expected ref of the form refs/tags/vX.Y.Z
[...]
```

see slsa-framework/slsa-github-generator#722
andros21 added a commit to andros21/rustracer that referenced this issue Dec 31, 2023
@andros21
chore(cd.yml): stop pinning slsa-github-generator to commit
b56c3ee 
using latest tag instead

see https://github.com/andros21/rustracer/actions/runs/7370799248/job/20057532474
During provenance/generator is visible something like
```console
[...]
Fetching the builder with ref: 07e64b653f10a80b6510f4568f685f8b7b9ea830
Invalid ref: 07e64b653f10a80b6510f4568f685f8b7b9ea830. Expected ref of the form refs/tags/vX.Y.Z
[...]
```

see slsa-framework/slsa-github-generator#722
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:generic Issue with the generic generator type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @sethmlarson @laurentsimon