-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[e2e]: container schedule main provenance-registry slsa3 #3024
Comments
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
The docker repo at line https://github.com/slsa-framework/example-package/actions/runs/7162395442/job/19499307066 to push the container image doesn't seem to exist / permission issue with DOCKER_TOKEN. @ianlewis pls confirm if this was created and where the image needs to be pushed. Repo structure: |
Repo: https://github.com/slsa-framework/example-package/tree/main |
The repo server shouldn't be |
@ianlewis Here is more context for the swap and attempt for using dockerhub for images ((i.e deletion after completion) and GHCR for provenance: #2981 that we use two different registries (ghcr for provenance / dockerhub for container images). Now that the deletion is not a requirement, I can swap them back (images in GHCR and provenance in dockerhub) but would still require the |
Workaround PR: slsa-framework/example-package#296 that still requires docker.io for provenance and ghcr.io for images |
The latest run failed with |
@laurentsimon Quick look at ur comment made me find a typo and here is the fix: slsa-framework/example-package#297 |
new run https://github.com/slsa-framework/example-package/actions/runs/7186615098/job/19572433787. The step "Create and sign provenance" shows the following error: Seems like an authentication error to docker. Mhh, could it be that my token does not have the permissions... It should have. Ill verify and circle back here. |
@laurentsimon Can you confirm if the below info is valid and exists as per
|
This should be under the same repo
should be
|
Repo: https://github.com/slsa-framework/example-package/tree/main |
@ianlewis / @laurentsimon Here is the PR for provenance account auth |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Current error I'm seeing is |
still failing, I think it's due to the value being visible in the script but not "exported" to the slsa-verifier process by default. Maybe we need to export it explicitly in the script if its value is not empty. Made this change https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.container.default.verify.sh#L44-L47 but it has not fixed the problem. @saisatishkarra any thoughts? Have you run slsa-verifier CLI locally and confirmed that it works? |
Repo: https://github.com/slsa-framework/example-package/tree/main |
@laurentsimon I haven't run the slsa-verifier locally and never tried exporting |
@laurentsimon I have tested this locally with some of the internal images.
Can you confirm what version of cosign is being used by the slsa-verifier and if the API needs the |
cosign version is v2.2.0 https://github.com/slsa-framework/slsa-verifier/blob/main/go.mod#L21 Cosign API allows to set this option in https://github.com/sigstore/cosign/blob/7763aefff1af577878fdd3befd1af8dcb1befc6d/pkg/cosign/verify.go#L88 |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Repo: https://github.com/slsa-framework/example-package/tree/main |
Here is the PR for consuming COSIGN_REPOSITORY when set for verifying provenance stored in a different registry. I have tested the go binary of slsa-verifier locally with the changes and it seemed to honor the set env variable and successfully verify image provenance instead of failing. @ianlewis / @laurentsimon Please guide how to update the e2e workflow to use the |
The changes in the PR make sense. I think this will work. We don't have good support to test a particular ref in the e2e test. I suggest we merge your PR and trigger it at main. Then we follow up with a PR to add a proper |
Sounds good to me!! |
Repo: https://github.com/slsa-framework/example-package/tree/main Tests are passing now. Closing this issue. |
Looks like it's working, yaay, great job @saisatishkarra |
Repo: https://github.com/slsa-framework/example-package/tree/main
Run: https://github.com/slsa-framework/example-package/actions/runs/7136867189
Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.schedule.main.provenance-registry.slsa3.yml
Trigger: schedule
Branch: main
Date: Fri Dec 8 03:07:35 UTC 2023
The text was updated successfully, but these errors were encountered: