Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Scorecard Action version #730

Merged
merged 1 commit into from
Apr 16, 2024
Merged

Update Scorecard Action version #730

merged 1 commit into from
Apr 16, 2024

Conversation

mcserep
Copy link
Collaborator

@mcserep mcserep commented Apr 1, 2024

The Scorecard job added in #716 started to fail a week after, stating:

error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key

See e.g. https://github.com/Ericsson/CodeCompass/actions/runs/8411925535/job/23032110561 for reference.

It is discussed in ossf/scorecard-action#997, that the Scorecard Action should be updated to v2.3.1.
I have replaced the pinned versions with semantic version requirements, so bugfixes and other non-breaking improvements are added automatically to newer pipeline runs. We do not use hash pinning in other CI pipelines as well.

@mcserep mcserep self-assigned this Apr 1, 2024
@mcserep mcserep added Target: Developer environment Developer environment issues consist of CodeCompass or 3rd-party build tooling, configuration or CI. Kind: Bug ⚠️ labels Apr 1, 2024
@mcserep mcserep requested a review from intjftw April 1, 2024 14:50
@mcserep mcserep force-pushed the scorecard-action-update branch from 9f1c63b to 9ef2ac3 Compare April 1, 2024 14:52
@mcserep
Copy link
Collaborator Author

mcserep commented Apr 15, 2024

@intjftw Can you please take a look on this and merge it? Not super important, but the CI job gets failing, and I get notifications.

@intjftw intjftw merged commit 6856f5d into master Apr 16, 2024
25 checks passed
@mcserep mcserep deleted the scorecard-action-update branch April 23, 2024 06:55
@mcserep
Copy link
Collaborator Author

mcserep commented Apr 23, 2024

After the merge, the job still fails, as for the ossf/scorecard-action action, there is no support for semantic version tags (e.g. v2), like for any other GitHub Action. Instead, explicit version tags have to be used.

Fixed 8e84d84.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@intjftw intjftw intjftw approved these changes

Assignees

@mcserep mcserep

Labels
Kind: Bug ⚠️ Target: Developer environment Developer environment issues consist of CodeCompass or 3rd-party build tooling, configuration or CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mcserep @intjftw