-
Notifications
You must be signed in to change notification settings - Fork 507
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG Signed-Releases: internal error: too many releases, please report this #4059
Comments
if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. ossf#4059 Signed-off-by: Spencer Schrock <[email protected]>
Thanks for trying out v5.0.0-rc1 and reporting this issue! It didn't have to do with the specific artifacts, but rather which release had artifacts and which didn't. We limit our analysis to the last 5 releases, but there was an order of operation bug which was skipping this, and your test repo met the bug criteria. The 6th most recent release had no release artifacts, so we went on to the 7th (and beyond) |
* switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. #4059 Signed-off-by: Spencer Schrock <[email protected]> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]>
* switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. ossf#4059 Signed-off-by: Spencer Schrock <[email protected]> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: seelder <[email protected]>
* switch signed-releases lookback limit precedence if the 6th release had no assets, the lookback limit exit condition was being skipped. This led to scenarios where too many releases were being considered by the Signed-Releases check. ossf#4059 Signed-off-by: Spencer Schrock <[email protected]> * make exit condition stronger any release after the lookback should be skipped Signed-off-by: Spencer Schrock <[email protected]> --------- Signed-off-by: Spencer Schrock <[email protected]> Signed-off-by: seelder <[email protected]>
Describe the bug
Running v5.0.0-rc1
Signed-Releases check reports
internal error: too many releases, please report this
Reproduction steps
Steps to reproduce the behavior:
scorecard --repo github.com/cpswan/release_automation
Expected behavior
I get a score for my signed releases.
Additional context
The repo I was testing against presently has 31 releases. I was previously signing with sigstore, but I just added a workflow to add SLSA provenance instead, so the releases now have a mixture of
.sigstore
andmultiple.intoto.jsonl
. My first guess is that this might cause the problem.Testing against a repo that only has (some)
.sigstore
releases seems to work fine (e.g.scorecard --repo github.com/atsign-foundation/noports
) NB that repo has more releases than the one that's failing, so it's not simply that 31 is too many.Testing against this repo, which has just
multiple.intoto.jsonl
is also fineThe text was updated successfully, but these errors were encountered: