Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[workflows] Update the version of the scorecard-action #86753

Merged
merged 1 commit into from
Mar 27, 2024
Merged

[workflows] Update the version of the scorecard-action #86753

merged 1 commit into from
Mar 27, 2024

Conversation

tstellar
Copy link
Collaborator

I'm hoping this will fix the errors we've been seeing the last few days:

2024-03-19T20:44:07.4841482Z 2024/03/19 20:44:07 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key

@tstellar
[workflows] Update the version of the scorecard-action
8546ead 
I'm hoping this will fix the errors we've been seeing the last few
days:

2024-03-19T20:44:07.4841482Z 2024/03/19 20:44:07 error signing scorecard json
results: error signing payload: getting key from Fulcio: verifying SCT:
updating local metadata and targets: error updating to TUF remote mirror:
invalid key
@tstellar
Copy link
Collaborator Author

@diogoteles08

@llvmbot
Copy link
Collaborator

llvmbot commented Mar 27, 2024

@llvm/pr-subscribers-github-workflow

Author: Tom Stellard (tstellar)

Changes

I'm hoping this will fix the errors we've been seeing the last few days:

2024-03-19T20:44:07.4841482Z 2024/03/19 20:44:07 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key

Full diff: https://github.com/llvm/llvm-project/pull/86753.diff

1 Files Affected:

  • (modified) .github/workflows/scorecard.yml (+1-1)
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index b8e8ab26c3ffa6..ff61cf83a6af3c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -36,7 +36,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif

@boomanaiden154
Copy link
Contributor

I don't think it would hurt to land this and see if it helps? Updating the action either way doesn't seem like a bad idea...

@diogoteles08
Copy link
Contributor

@diogoteles08

Hi! Thanks for mentioning me.

Yeah, this update will fix it. The error happened because Scorecard uses Sigstore tool to sign its results and Sigstore has done an update (https://blog.sigstore.dev/tuf-root-update/) that is not compatible with older Scorecard versions (for example, v.2.1.2 used here). But Scorecard v2.3.1 is compatible with Sigstore changes and should get back to work smoothly =)

@tstellar tstellar merged commit 2fa46ca into llvm:main Mar 27, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
github:workflow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tstellar @llvmbot @boomanaiden154 @diogoteles08