[bug] internal error Error: Process completed with exit code 1.

[konstruktoid]

Describe the bug

https://github.com/konstruktoid/ansible-role-docker-rootless/actions/runs/4291543901/jobs/7476983701#step:6:1

Run set -euo pipefail
  set -euo pipefail
  id=""
  if [[ -n "$RELEASE_ID_NEW_TAGS" ]]; then
    id="$RELEASE_ID_NEW_TAGS"
  elif [[ -n "$RELEASE_ID_TAG_NAME" ]]; then
    id="$RELEASE_ID_TAG_NAME"
  else
    echo "internal error"
    exit 1
  fi
  echo "id=$id" >> "$GITHUB_OUTPUT"
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    BUILDER_BINARY: slsa-generator-generic-linux-amd6[4](https://github.com/konstruktoid/ansible-role-docker-rootless/actions/runs/4291543901/jobs/7476983701#step:6:4)
    BUILDER_DIR: internal/builders/generic
    RELEASE_ID_NEW_TAGS: 
    RELEASE_ID_TAG_NAME: 
internal error
Error: Process completed with exit code 1.

Additional context

https://github.com/konstruktoid/ansible-role-docker-rootless/actions/workflows/slsa.yml
https://github.com/konstruktoid/ansible-role-docker-rootless/blob/main/.github/workflows/slsa.yml

$ git diff fcac96092050cfed84150ff4a8a71cc89472f759 .github/workflows/slsa.yml 
diff --git a/.github/workflows/slsa.yml b/.github/workflows/slsa.yml
index 6979597..9f85e95 100644
--- a/.github/workflows/slsa.yml
+++ b/.github/workflows/slsa.yml
@@ -20,7 +20,7 @@ jobs:
         shell: bash
 
       - name: Checkout repository
-        uses: actions/checkout@master
+        uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
 
       - name: Build artifacts
         run: |
@@ -46,7 +46,7 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
     with:
       base64-subjects: "${{ needs.build.outputs.hashes }}"
       upload-assets: true

[konstruktoid]

konstruktoid/ansible-role-dns#15:
https://github.com/konstruktoid/ansible-role-dns/actions/runs/4289844197/jobs/7473293134
https://github.com/konstruktoid/ansible-role-dns/actions/workflows/slsa.yml

[asraa]

It seems like this failure is because this run was done on a push event, and the reusable workflow was invoked with upload-assets: true.

Because there was no tag name / release ID to upload the assets to, the workflow returned an internal error.

@ianlewis Should

slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

Line 215 in 0c6b749

if: inputs.upload-assets == true

also check that it was triggered on a new tag or with a tag name?

[laurentsimon]

Should be able to fix this line https://github.com/konstruktoid/ansible-role-dns/blob/main/.github/workflows/slsa.yml#L52
with:

upload-assets: ${{ github.event_name == 'release' }}

Something we probably should add in our documentation, if we don't have it.

Or do we think we should update our code to ignore silently? I'm worried about ignoring silently in general.

Wdut?

[konstruktoid]

v1.4.0 works (https://github.com/konstruktoid/ansible-role-docker-rootless/actions/workflows/slsa.yml) and the v1.5.0 changelog states that "a new upload-tag-name input was added to allow users to specify the tag name for the release when upload-assets is set to true".

My interpretation of the changelog is that a new, not required, input has been added and a user may specify a tag name if upload-assets: true. And setting upload-assets: ${{ github.event_name == 'release' }} is not equal to upload-assets: true.

[asraa]

Yes, I think there's a compatibility issue where previously the push events would ignore uploading assets (sort of by accident), and here it's now implicitly expected to have been uploaded.

IMO the best fix is to push a patch release fixing via something I proposed above and to issue a workaround via Laurent's comment for using 1.5.0

[laurentsimon]

Seems like the only viable option to avoid breaking folks.

[behnazh-w]

I had a similar confusion regarding upload-assets. To begin with, setting it to true does not make sense when there is no draft release. But if there is one, and and upload-tag-name is set, then upload-assets: true would be meaningful even when the workflow is triggered via push.

First, I think the documentation needs to improve regarding upload-assets and different events. But the next question is if the upload fails in this case (push event), should the whole workflow fail or pass (with @asraa 's proposed fix)?

[ianlewis]

@ianlewis Should

slsa-github-generator/.github/workflows/generator_generic_slsa3.yml

Line 215 in 0c6b749

if: inputs.upload-assets == true

also check that it was triggered on a new tag or with a tag name?

Yeah, I think that's right. upload-assets: true was previously ignored if the workflow was not triggered by a release/tag so we will need to preserve that functionality to be backwards compatible.

[ianlewis]

I'll do the following for this issue

1. add a known issue to the doc for 1.5.0 (docs: Add known issue for #1702 #1733)
2. Fix generic generator to ignore upload-assets if the workflow was not triggered by a release/tag. (fix: Don't try to upload assets without a tag name #1712)
3. Add e2e regression test for upload-assets (https://github.com/slsa-framework/example-package/blob/7397f27b43ba30752bfc6ac0ff038dc6336dd1af/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml)

[laurentsimon]

Fix generic generator to ignore upload-assets if the workflow was not triggered by a release/tag.

On other triggers: in addition to testing if tag-name is set, should we check that upload-assets is true still?

[ianlewis]

Fix generic generator to ignore upload-assets if the workflow was not triggered by a release/tag.

On other triggers: in addition to testing if tag-name is set, should we check that upload-assets is true still?

Right, I wasn't clear. We won't try to upload assets to a release unless there is a tag name and upload-assets is true.

[ianlewis]

I've fixed this and added tests. It will be released in v1.5.1 soon.

[konstruktoid]

Does https://github.com/slsa-framework/slsa-github-generator/pull/1733/files#diff-16f6a396627c41a481fce367ef13571a35d92d30d9d470b7d9956c0c49cf9a6bR1280-R1281 mean that upload-tag-name isn't dynamic?

Wouldn't this make more sense?

upload-assets: true
upload-tag-name: ${{ startsWith(github.ref, 'refs/tags/') }}

[ianlewis]

Does https://github.com/slsa-framework/slsa-github-generator/pull/1733/files#diff-16f6a396627c41a481fce367ef13571a35d92d30d9d470b7d9956c0c49cf9a6bR1280-R1281 mean that upload-tag-name isn't dynamic?

Wouldn't this make more sense?

upload-tag-name is a string input that allows you to specify the tag name yourself. If you don't specify it, the tag that was pushed is used (i.e. github.ref) IIUC, it's for uploading to releases like nightly releases that are done using a schedule rather than being triggered by pushing a tag.

Probably the example I wrote there could have been better, something like:

upload-assets: true
upload-tag-name: "nightly"

It's roughly equivalent to the tag_name input on the softprops/action-gh-release action.