jetstack-secure icon indicating copy to clipboard operation
jetstack-secure copied to clipboard

Published 20 hours ago verified publisher icon jetstack

CI: "Generate provenance" fails

Open hawksight opened this issue 1 year ago • 4 comments

The following step in the workflow always seems to fail for quite a while: https://github.com/jetstack/jetstack-secure/blob/master/.github/workflows/release-master.yml#L95-L100

We don't see it because it only runs on master branch. Given no-one has noticed or reported I take it is not a huge issue. But perhaps we should check why it is failing and look to fix?

hawksight avatar Jul 01 '24 11:07 hawksight

Hey, thanks for raising this. I hadn't noticed the failing builds on master.

For anyone looking at this, the error seems (ex: this build) to be related to the cosign.pub that is pulled from the slsa-provenance-action:

INFO: Downloading slsa-provenance_0.7.2_linux_amd64.tar.gz.sig from [https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/slsa-provenance_0.7.2_linux_amd64.tar.gz.sig…](https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/slsa-provenance_0.7.2_linux_amd64.tar.gz.sig%E2%80%A6)

INFO: Downloading cosign.pub from [https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/cosign.pub…](https://github.com/philips-labs/slsa-provenance-action/releases/download/v0.7.2/cosign.pub%E2%80%A6)

INFO: Verifying signature…
Error: signature not found in transparency log
main.go:74: error during command execution: signature not found in transparency log
Error: Process completed with exit code 1.

This same issue was seen in https://github.com/philips-labs/slsa-provenance-action/issues/161. Our makefile does use COSIGN_EXPERIMENTAL=1 (see Makefile) but I can't why the GitHub Actions workflow would also get this env var set...

The suggested fix is to disable COSIGN_EXPERIMENTAL:

     - name: Generate provenance
       uses: philips-labs/[email protected]
       with:
         command: generate
         subcommand: files
         arguments: --artifact-path mock
+      env:
+        COSIGN_EXPERIMENTAL: 0

maelvls avatar Jul 02 '24 11:07 maelvls

Remember to also remove @maelvls 's warning note from the release process when we eventually fix this.

  • #548

wallrj avatar Jul 12 '24 13:07 wallrj

I tried to fix this in #553 but the simple fix @maelvls suggested does not seem to fix this.

I have then tried to run this thing locally:

# Try recreating locally like the release file
echo "foobar" > mock
/Users/peter.fiddes/projects/philips-labs/slsa-provenance-action/bin/slsa-provenance generate files --artifact-path mock

# Try doing it properly
/Users/peter.fiddes/projects/philips-labs/slsa-provenance-action/bin/slsa-provenance generate container --repository "quay.io/jetstack/preflight" --output-path "provenance.json" --digest "sha256:48e30b96726a8e0dc09c68bdf9e6153cee10d5874f988745519b6ea75c579192" --tags "v0.1.49"

All getting a different error because it's running outside of GH actions:

Error: no value found for required flag: github-context
2024/07/31 18:05:05 error during command execution: no value found for required flag: github-context

I know nothing about this, but any suggestions on how I can provide the "github-context" this tool requires? Perhaps I should create another workflow to specifically test running this. That might be the quickest way to test. I'd prefer to do it locally though.

If there is no easy way to run it locally to attempt to rectify this... I suggest we just nuke these build steps, because they haven't worked in so long and not a single person has complained.

That should be the fall back plan.

Also I realise that this issue is a duplicate of #472.

hawksight avatar Jul 31 '24 17:07 hawksight

I wonder if --github-context refers to the JSON blob you can obtain in github actions using ${{toJson(github)}}. I found that in https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/contexts#example-contents-of-the-github-context. Crafting this JSON by hand seems possible, maybe try:

github_context=$(cat <<"EOF"
{
  "token": "***",
  "job": "dump_contexts_to_log",
  "ref": "refs/heads/my_branch",
  "sha": "c27d339ee6075c1f744c5d4b200f7901aad2c369",
  "repository": "octocat/hello-world",
  "repository_owner": "octocat",
  "repositoryUrl": "git://github.com/octocat/hello-world.git",
  "run_id": "1536140711",
  "run_number": "314",
  "retention_days": "90",
  "run_attempt": "1",
  "actor": "octocat",
  "workflow": "Context testing",
  "head_ref": "",
  "base_ref": "",
  "event_name": "push",
  "event": {
    ...
  },
  "server_url": "https://github.com",
  "api_url": "https://api.github.com",
  "graphql_url": "https://api.github.com/graphql",
  "ref_name": "my_branch",
  "ref_protected": false,
  "ref_type": "branch",
  "secret_source": "Actions",
  "workspace": "/home/runner/work/hello-world/hello-world",
  "action": "github_step",
  "event_path": "/home/runner/work/_temp/_github_workflow/event.json",
  "action_repository": "",
  "action_ref": "",
  "path": "/home/runner/work/_temp/_runner_file_commands/add_path_b037e7b5-1c88-48e2-bf78-eaaab5e02602",
  "env": "/home/runner/work/_temp/_runner_file_commands/set_env_b037e7b5-1c88-48e2-bf78-eaaab5e02602"
}
JSON
)

and then you can use the flag:

--github-context=$github_context

But I'd probably try act before hand-crafting this JSON blob 😅

maelvls avatar Aug 05 '24 15:08 maelvls