Add known issues to docs (#1170)

* Add known issues to docs Signed-off-by: Ian Lewis <ianlewis@google.com> * add header Signed-off-by: Ian Lewis <ianlewis@google.com> * Update README.md * Clarify affected versions Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com> Co-authored-by: asraa <asraa@google.com>
slsa-framework · Nov 1, 2022 · b68dcb0 · b68dcb0
1 parent 67e7b12
commit b68dcb0
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 4 deletions.
diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
@@ -31,6 +31,7 @@ project simply generates provenance as a separate step in an existing workflow.
   - [Provenance for Java](#provenance-for-java)
   - [Provenance for Rust](#provenance-for-rust)
   - [Provenance for Haskell](#provenance-for-haskell)
+- [Known Issues](#known-issues)
 
 ---
 
@@ -77,7 +78,7 @@ provenance:
     actions: read # Needed for detection of GitHub Actions environment.
     id-token: write # Needed for provenance signing and ID
     contents: write # Needed for release uploads
-  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1
   with:
     base64-subjects: "${{ needs.build.outputs.hashes }}"
 ```
@@ -134,7 +135,7 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       # Upload provenance to a new release
@@ -892,3 +893,32 @@ jobs:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       upload-assets: true # Optional: Upload to a new release
 ```
+
+## Known Issues
+
+### error updating to TUF remote mirror: tuf: invalid key
+
+**Affected versions:** v1.2.x
+
+Workflows are currently failing with the error:
+
+```
+validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
+```
+
+This issue is currently tracked by [issue #1163](https://github.com/slsa-framework/slsa-github-generator/issues/1163)
+
+You can work around this error by setting `compile-generator` input flag.
+
+```yaml
+with:
+  compile-generator: true
+```
+
+This will compile the generator binary used by the workflow instead of
+downloading the latest release. Make sure you continue to reference the workflow
+using a release tag in order to allow verification by `slsa-verifier`.
+
+```yaml
+uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1
+```
diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md
@@ -14,6 +14,7 @@ This document explains how to use the builder for [Go](https://go.dev/) projects
   - [Workflow Example](#workflow-example)
   - [Provenance Example](#provenance-example)
   - [BuildConfig Format](#buildconfig-format)
+  - [Known Issues](#known-issues)
 
 ---
 
@@ -114,7 +115,7 @@ In the meantime, you can use both GoReleaser and this builder in the same reposi
 
 ```yaml
 builds:
----
+# ...
 goos:
   - windows
   - linux
@@ -201,7 +202,7 @@ jobs:
       contents: write # To upload assets to release.
       actions: read # To read the workflow path.
     needs: args
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
     with:
       go-version: 1.17
       # Optional: only needed if using ldflags.
@@ -343,3 +344,32 @@ The `BuildConfig` contains the following fields:
 ```json
   "workingDir": "/home/runner/work/ianlewis/actions-test"
 ```
+
+## Known Issues
+
+### error updating to TUF remote mirror: tuf: invalid key
+
+**Affected versions:** v1.2.x
+
+Workflows are currently failing with the error:
+
+```
+validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
+```
+
+This issue is currently tracked by [issue #1163](https://github.com/slsa-framework/slsa-github-generator/issues/1163)
+
+You can work around this error by setting `compile-builder` input flag.
+
+```yaml
+with:
+  compile-builder: true
+```
+
+This will compile the builder binary used by the workflow instead of downloading
+the latest release. Make sure you continue to reference the workflow using a
+release tag in order to allow verification by `slsa-verifier`.
+
+```yaml
+uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
+```