From 295d81c00577406db4716f6a4759d063ded9c6e8 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 27 Oct 2022 07:24:01 +0000 Subject: [PATCH 1/4] Add known issues to docs Signed-off-by: Ian Lewis --- internal/builders/generic/README.md | 32 +++++++++++++++-- internal/builders/go/README.md | 54 +++++++++++++++++++++-------- 2 files changed, 69 insertions(+), 17 deletions(-) diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index f0529932a9..30cd38245b 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -30,6 +30,7 @@ project simply generates provenance as a separate step in an existing workflow. - [Provenance for Java](#provenance-for-java) - [Provenance for Rust](#provenance-for-rust) - [Provenance for Haskell](#provenance-for-haskell) +- [Known Issues](#known-issues) --- @@ -76,12 +77,12 @@ provenance: actions: read # Needed for detection of GitHub Actions environment. id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1 with: base64-subjects: "${{ needs.build.outputs.hashes }}" ``` -**Note**: Make sure that you reference the generator with a semantic version of the form `@vX.Y.Z`. +**Note**: Make sure that you reference the generator with a semantic version of the form `@vX.Y.Z`. More information [here](/README.md#referencing-slsa-builders-and-generators). Here's an example of what it might look like all together. @@ -133,7 +134,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1 with: base64-subjects: "${{ needs.build.outputs.hashes }}" # Upload provenance to a new release @@ -867,3 +868,28 @@ jobs: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release ``` + +## Known Issues + +Workflows are currently failing with the error: + +``` +validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key +``` + +This issue is currently tracked by [issue #1163](https://github.com/slsa-framework/slsa-github-generator/issues/1163) + +You can work around this error by setting `compile-generator` input flag. + +```yaml +with: + compile-generator: true +``` + +This will compile the generator binary used by the workflow instead of +downloading the latest release. Make sure you continue to reference the workflow +using a release tag in order to allow verification by `slsa-verifier`. + +```yaml +uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1 +``` diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index 3606083f71..28a44c6f1c 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -14,6 +14,7 @@ This document explains how to use the builder for [Go](https://go.dev/) projects - [Workflow Example](#workflow-example) - [Provenance Example](#provenance-example) - [BuildConfig Format](#buildconfig-format) +- [Known Issues](#known-issues) --- @@ -91,19 +92,19 @@ In the meantime, you can use both GoReleaser and this builder in the same reposi ```yaml builds: -... - goos: - - windows - - linux - - darwin - goarch: - - amd64 - - arm64 - - s390x - # This instructs GoReleaser to not build for linux amd64. - ignore: - - goos: linux - goarch: amd64 +--- +goos: + - windows + - linux + - darwin +goarch: + - amd64 + - arm64 + - s390x +# This instructs GoReleaser to not build for linux amd64. +ignore: + - goos: linux + goarch: amd64 ``` The configuration file accepts many of the common fields GoReleaser uses, as you can see in the [example](#configuration-file). The configuration file also supports two variables: `{{ .Os }}` and `{{ .Arch }}`. Other variables can be set manually as shown in the table below, in combination with the builder's `evaluated-envs`: @@ -177,7 +178,7 @@ jobs: contents: write # To upload assets to release. actions: read # To read the workflow path. needs: args - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 with: go-version: 1.17 # Optional: only needed if using ldflags. @@ -319,3 +320,28 @@ The `BuildConfig` contains the following fields: ```json "workingDir": "/home/runner/work/ianlewis/actions-test" ``` + +## Known Issues + +Workflows are currently failing with the error: + +``` +validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key +``` + +This issue is currently tracked by [issue #1163](https://github.com/slsa-framework/slsa-github-generator/issues/1163) + +You can work around this error by setting `compile-builder` input flag. + +```yaml +with: + compile-builder: true +``` + +This will compile the builder binary used by the workflow instead of downloading +the latest release. Make sure you continue to reference the workflow using a +release tag in order to allow verification by `slsa-verifier`. + +```yaml +uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 +``` From 19410610daa30d219a3d547fb95d382d7873b2c3 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 27 Oct 2022 07:26:54 +0000 Subject: [PATCH 2/4] add header Signed-off-by: Ian Lewis --- internal/builders/generic/README.md | 2 ++ internal/builders/go/README.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index 30cd38245b..d0da333f2e 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -871,6 +871,8 @@ jobs: ## Known Issues +### v1.2.x: tuf: invalid key + Workflows are currently failing with the error: ``` diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index 28a44c6f1c..f9dce4da99 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -323,6 +323,8 @@ The `BuildConfig` contains the following fields: ## Known Issues +### v1.2.x: tuf: invalid key + Workflows are currently failing with the error: ``` From dbedcf892489955dd4cea066c7a30929a9e9e18c Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 27 Oct 2022 21:25:42 +0900 Subject: [PATCH 3/4] Update README.md --- internal/builders/go/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index e3fb0012c6..c2bf34b1e9 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -115,7 +115,7 @@ In the meantime, you can use both GoReleaser and this builder in the same reposi ```yaml builds: ---- +# ... goos: - windows - linux From 014b0ab11470682f242e000a408b7aaab565090e Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Thu, 27 Oct 2022 22:37:25 +0000 Subject: [PATCH 4/4] Clarify affected versions Signed-off-by: Ian Lewis --- internal/builders/generic/README.md | 4 +++- internal/builders/go/README.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index b842101579..67c1ad4b7b 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -896,7 +896,9 @@ jobs: ## Known Issues -### v1.2.x: tuf: invalid key +### error updating to TUF remote mirror: tuf: invalid key + +**Affected versions:** v1.2.x Workflows are currently failing with the error: diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index c2bf34b1e9..4c4b4d5fa3 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -347,7 +347,9 @@ The `BuildConfig` contains the following fields: ## Known Issues -### v1.2.x: tuf: invalid key +### error updating to TUF remote mirror: tuf: invalid key + +**Affected versions:** v1.2.x Workflows are currently failing with the error: