BUG Signed-Releases: internal error: too many releases, please report this #4059
Labels
Comments
spencerschrock
added a commit
to spencerschrock/scorecard
that referenced
this issue
Apr 29, 2024
if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. ossf#4059 Signed-off-by: Spencer Schrock <sschrock@google.com>
2 tasks
|
Thanks for trying out v5.0.0-rc1 and reporting this issue! It didn't have to do with the specific artifacts, but rather which release had artifacts and which didn't. We limit our analysis to the last 5 releases, but there was an order of operation bug which was skipping this, and your test repo met the bug criteria. The 6th most recent release had no release artifacts, so we went on to the 7th (and beyond) |
spencerschrock
added a commit
that referenced
this issue
May 2, 2024
* switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. #4059 Signed-off-by: Spencer Schrock <sschrock@google.com> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com>
seelder
pushed a commit
to seelder/scorecard
that referenced
this issue
May 3, 2024
* switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. ossf#4059 Signed-off-by: Spencer Schrock <sschrock@google.com> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: seelder <seelder@ncsu.edu>
seelder
pushed a commit
to seelder/scorecard
that referenced
this issue
May 3, 2024
* switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. ossf#4059 Signed-off-by: Spencer Schrock <sschrock@google.com> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <sschrock@google.com> --------- Signed-off-by: Spencer Schrock <sschrock@google.com> Signed-off-by: seelder <seelder@ncsu.edu>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Running v5.0.0-rc1
Signed-Releases check reports
internal error: too many releases, please report thisReproduction steps
Steps to reproduce the behavior:
scorecard --repo github.com/cpswan/release_automationExpected behavior
I get a score for my signed releases.
Additional context
The repo I was testing against presently has 31 releases. I was previously signing with sigstore, but I just added a workflow to add SLSA provenance instead, so the releases now have a mixture of
.sigstoreandmultiple.intoto.jsonl. My first guess is that this might cause the problem.Testing against a repo that only has (some)
.sigstorereleases seems to work fine (e.g.scorecard --repo github.com/atsign-foundation/noports) NB that repo has more releases than the one that's failing, so it's not simply that 31 is too many.Testing against this repo, which has just
multiple.intoto.jsonlis also fineThe text was updated successfully, but these errors were encountered: