slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

chore(deps): update github-actions

Open renovate-bot opened this issue 3 years ago • 8 comments

Mend Renovate

This PR contains the following updates:

Package Type Update Change
actions/checkout action minor v3.0.2 -> v3.1.0
actions/checkout action minor v2.4.2 -> v2.5.0
actions/download-artifact action patch v3.0.0 -> v3.0.1
actions/setup-go action patch v3.3.0 -> v3.3.1
actions/setup-node action minor v3.4.1 -> v3.5.1
actions/upload-artifact action patch v3.1.0 -> v3.1.1
actions/upload-artifact action digest 3cea537 -> 83fd05a
github/codeql-action action patch v2.1.22 -> v2.1.28
sigstore/cosign-installer action minor v2.6.0 -> v2.8.1
slsa-framework/slsa-github-generator action digest 923a5a2 -> ce2408f

Release Notes

actions/checkout

v3.1.0

Compare Source

actions/download-artifact

v3.0.1

Compare Source

actions/setup-go

v3.3.1

Compare Source

In scope of this release we fixed the issue with the correct generation of the cache key when the go-version-file input is set (https://github.com/actions/setup-go/pull/267). Moreover, we fixed an issue when the cache folder was not found. Besides, we updated actions/core to 1.10.0 version (https://github.com/actions/setup-go/pull/273).

actions/setup-node

v3.5.1

Compare Source

In scope of this release we updated actions/core to 1.10.0. Moreover, we added logic to print Nodejs, Npm, Yarn versions after installation.

v3.5.0

Compare Source

In scope of this release we add support for engines.node. The action will be able to grab the version form package.json#engines.node. https://github.com/actions/setup-node/pull/485. Moreover, we added support for Volta

Besides, we updated @​actions/core to 1.9.1 and @​actions/cache to 3.0.4

actions/upload-artifact

v3.1.1

Compare Source

  • Update actions/core package to latest version to remove set-output deprecation warning #​351
github/codeql-action

v2.1.28

Compare Source

v2.1.27

Compare Source

v2.1.26

Compare Source

v2.1.25

Compare Source

v2.1.24

Compare Source

v2.1.23

Compare Source

sigstore/cosign-installer

v2.8.1

Compare Source

What's Changed

Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2...v2.8.1

v2.8.0

Compare Source

What's Changed

Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2.7.0...v2.8.0

v2.7.0

Compare Source

What's Changed

Full Changelog: https://github.com/sigstore/cosign-installer/compare/v2...v2.7.0

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • [ ] If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

renovate-bot avatar Sep 17 '22 05:09 renovate-bot

interesting: many pre-submits are failing

laurentsimon avatar Sep 19 '22 17:09 laurentsimon

/cc @ianlewis we may have updated the ncc dependency.. I'm curious why it was not caught during an early pre-submit. Maybe another problem?

laurentsimon avatar Sep 20 '22 00:09 laurentsimon

check-dist-matrix is covered in #883.

For others it seems that building the builder is failing on verify-checkout. I'm not sure why.

mismatch git sha 81e7de69c1ac2722c5e0f48de5158e1738290b76 != 895fca8cfd55bd11d27ee394ae2eeb486328f9da

Maybe because of some change that happened to verify-checkout that happened between commits e3220805577deb9d193f64e519abcb3b50851df5 and de4491844e9be4184f786666af40f5b1b8e7ddc0?

ianlewis avatar Sep 21 '22 06:09 ianlewis

I noticed this error too. Very strange

laurentsimon avatar Sep 21 '22 19:09 laurentsimon

So it seems like we had been referencing generate-builder at e3220805577deb9d193f64e519abcb3b50851df5 https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml#L111

Which uses checkout-go at f9878d18f3c896502bdb5bbb96187fb787d529bb https://github.com/slsa-framework/slsa-github-generator/blob/e3220805577deb9d193f64e519abcb3b50851df5/.github/actions/generate-builder/action.yml#L37

which doesn't call verify-checkout https://github.com/slsa-framework/slsa-github-generator/blob/f9878d18f3c896502bdb5bbb96187fb787d529bb/.github/actions/checkout-go/action.yml

But when I update the generate-builder to use my test release per the release instructions it now includes the verify-checkout check and fails.

I think verify-checkout is maybe assuming that GITHUB_SHA and the locally checked out workspace will always be the same repo? In normal cases the GITHUB_SHA will be a digest from the user's repo and the local checkout will likely be the slsa-github-generator repo. e.g. when building the builder/generator.

ianlewis avatar Oct 07 '22 04:10 ianlewis

I created #968 to track the above issue.

ianlewis avatar Oct 07 '22 08:10 ianlewis

renovate-bot is trying to update some of the references back to the v1.2.0 tag to match the tag=v1.2.0 comments and that's causing failures.

ianlewis avatar Oct 14 '22 00:10 ianlewis

fyi, im going to try to clean up the reference problem in https://github.com/slsa-framework/slsa-github-generator/issues/880

laurentsimon avatar Oct 18 '22 08:10 laurentsimon