fix(deps): sigstore revert from v1.9 to v1.8 #2913
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enteraga6
requested review from
asraa,
ianlewis,
laurentsimon,
joshuagl and
kpk47
as code owners
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
…ritical vuln Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
Point actions back to slsa-framework/...@main This reverts commit 1c61d2a. Signed-off-by: Noah Elzner <[email protected]>
enteraga6
force-pushed
the
sigstore1.8-revert
branch
from
4fe6af9 to
48a08fc
Compare
laurentsimon
approved these changes
Oct 24, 2023
|
@enteraga6 Can you maybe create an issue on the At least we'll be able to get more clarification. |
|
@ianlewis Certainly! Tracking the issue here: sigstore/sigstore-js#833 |
5 tasks
laurentsimon
pushed a commit
that referenced
this pull request
Mar 28, 2024
# Summary Updates sigstore version from 1.8 -> 2.2.2 for the root dependency version and for the Github Action `sign-attestation`, `verify-token`, and `setup-generic`. Per 1.9, signing options needed to be removed. More information on it here on this [Sigstore Issue](sigstore/sigstore-js#833). This fixes revert from #2913 The actions were refactored to make use of to explicitly use Sigstore's individual functions/types on imports from this [v2.0.0 change](sigstore/sigstore-js@829e123) ## Testing Process **Testing Removal of Signing Options** After updating `sign-attestation` on a personal workflow pointing to the branch. Check it out [here](https://github.com/enteraga6/bazel_docker_test/actions/runs/8458206728) After updating `verify-token` and `setup-generic` to 1.9, I tested using this [workflow](https://github.com/enteraga6/bazel_docker_test/actions/runs/8459083200). **Testing 2.2.2** After updating the actions to Sigstore 2.2.2, I tested using this [workflow](https://github.com/enteraga6/bazel_docker_test/actions/runs/8464040937). Note: it says Sigstore 1.9 on workflow title, but it was used to test 2.2.2. I used the same workflow. **Final Test** This [workflow test](https://github.com/enteraga6/bazel_docker_test/actions/runs/8474173065) shows successful functionality after all the changes. ## Checklist - [x] Review the contributing [guidelines](./../CONTRIBUTING.md) - [x] Add a reference to related issues in the PR description. - [x] Update documentation if applicable. - [x] Add unit tests if applicable. - [x] Add changes to the [CHANGELOG](./../CHANGELOG.md) if applicable. --------- Signed-off-by: Noah Elzner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes issues #2873 through #2912 (e2e test failures)
Sigstore v1.9 introduces errors on retrieving the token as if the workflow is not seen as GHA but as a browser.
Example workflow using 1.9: https://github.com/enteraga6/bazel_docker_test/actions/runs/6631189448
It fails on slsa-setup with "error retrieving identity token"
Example workflow using 1.8: https://github.com/enteraga6/bazel_docker_test/actions/runs/6631199842
Token generation and retrieval completes successfully.
What causes the issue is currently unknown, but I think that it is a change heading towards the major version bump which will require refactoring of which packages are used to get the token. See here: https://github.com/sigstore/sigstore-js/releases/tag/sigstore%402.0.0, especially bullet pt 3 which conflicts with current signing attestation action.
This PR reverts Sigstore dependencies to 1.8 to allow the workflows to properly run and not fail on setup.