[e2e]: go tag branch1 config-ldflags-assets slsa3

[laurentsimon]

trafficstars

Repo: https://github.com/slsa-framework/example-package/tree/v15.0.100 Run: https://github.com/slsa-framework/example-package/actions/runs/2901955474 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Trigger: push Branch: v15.0.100 Date: Mon Aug 22 07:20:12 UTC 2022

[laurentsimon]

@asraa I suspect a bug in the logic where we search for the latest release. The latest run: https://github.com/slsa-framework/example-package/actions/runs/2946652178

annotated_tags: 
Listing releases
  Processing v15.0.100
  latest_tag: v15.0.0
 INFO: updating to v15.0.100
  Processing v15.0.99
  latest_tag: v15.0.100
 INFO: updating to v15.0.99
  Processing v15.0.98
  latest_tag: v15.0.99
  Processing v15.0.97
  latest_tag: v15.0.99
  Processing v15.0.96
  latest_tag: v15.0.99
  Processing v15.0.95
  latest_tag: v15.0.99
  Processing v15.0.94
  latest_tag: v15.0.99
  Processing v15.0.93
  latest_tag: v15.0.99
  Processing v15.0.92
  latest_tag: v15.0.99
  Processing v15.0.91
  latest_tag: v15.0.99
  Processing v15.0.90
  latest_tag: v15.0.99
Latest tag found is v15.0.99
New release tag used: v15.0.100
Target branch: branch1
HTTP 4[22](https://github.com/slsa-framework/example-package/runs/8065529270?check_suite_focus=true#step:3:23): Validation Failed (https://api.github.com/repos/slsa-framework/example-package/releases)
Release.tag_name already exists

[ianlewis]

I updated branch1 on the example-package repo as well just in case

[ianlewis]

I'm wondering if this is a bug in the logic of our number handling? 100 vs 10. I would need to look into it but bash kind of encourages bugs like that.

FAILED: SLSA verification failed: tag used to generate the binary does not match provenance: patch version expected '10', got '100'

[ianlewis]

This issue isn't being updated because the release job isn't working: https://github.com/slsa-framework/example-package/actions/runs/3133782090/jobs/5087539062

annotated_tags: 
Listing releases
Latest tag found is v15.0.0
New release tag used: v15.0.1
Target branch: branch1
HTTP 422: Validation Failed (https://api.github.com/repos/slsa-framework/example-package/releases)
Release.tag_name already exists

[laurentsimon]

likely a bug in version calculation: https://github.com/slsa-framework/example-package/releases?q=v15&expanded=true v15.0.0-99 exist

[ianlewis]

We list 200 releases when we search for the latest and it looks like the releases it cares about don't get returned. https://github.com/slsa-framework/example-package/blob/3eb9d201625bd4a709511039493f4d22ab6eb2bf/.github/workflows/scripts/e2e-create-release.sh#L51

We need a way to page through them or filter on them, but I don't think it's easy to do that with the gh client.

[laurentsimon]

I see. This happened in the past and we increased the list of total releases to look at. Not going to work for ever, though. I don't think there's a GitHub API to filter either. Any thoughts on the best approach? Write a client to list them all... delete all releases once a quarter?

/cc @asraa

[ianlewis]

I'm not sure. Yeah, deleting older releases would help but I'm sure it's not going to be any kind of guarantee unless we can keep the total number of releases less than the number we list (currently 200).

[ianlewis]

So we can use gh api --paginate to get all releases and iterate over them. That will iterate over hundreds of releases each time so that's probably not sustainable long term. Maybe we can also delete old releases as well.

[ianlewis]

I wrote a workflow in https://github.com/slsa-framework/example-package/pull/112 to delete releases that are more than 7 days old and run that every day. That currently will keep our releases down to a number of about 70.

I also updated the tests to use gh api --paginate so hopefully that should resolve the issue.

[laurentsimon]

Thanks, this is awesome!

[ianlewis]

The create release script seems to be creating a release now but the workflow isn't triggering for some reason.

[ianlewis]

Strange. The tag is being created but it points to a commit that's apparently not part of the repository.

https://github.com/slsa-framework/example-package/tree/v15.0.2

[ianlewis]

Strange. The tag is being created but it points to a commit that's apparently not part of the repository.

I think this is caused by not syncing the branch.

[laurentsimon]

Repo: https://github.com/slsa-framework/example-package/tree/v15.0.2 Run: https://github.com/slsa-framework/example-package/actions/runs/3187454829 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Trigger: push Branch: v15.0.2 Date: Wed Oct 5 05:20:46 UTC 2022

[ianlewis]

Ok we are hitting the branch error now.

FAILED: SLSA verification failed: expected branch 'refs/heads/main', got 'refs/heads/branch1': branch used to generate the binary does not match provenance

[laurentsimon]

Repo: https://github.com/slsa-framework/example-package/tree/v15.0.3 Run: https://github.com/slsa-framework/example-package/actions/runs/3195186520 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml Trigger: push Branch: v15.0.3 Date: Thu Oct 6 07:13:46 UTC 2022

Tests are passing now. Closing this issue.