-
Notifications
You must be signed in to change notification settings - Fork 498
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cosign verify-attestation
hangs indefinitely in GitHub Actions
#3602
Comments
This sounds like a one-off GHA failure, is it still occurring? |
I can confirm the same behaviour in one of my actions. |
Without logs, I'm unable to reproduce this. |
I create a repro build and share it here. |
I created a simple reproduction repository and the workflow hung on the first execution: https://github.com/ckotzbauer/verify-attestation-repro/actions/runs/9044178111/job/24852568726 Between line 32 and 33/34 it took about 8 minutes. |
At a quick glance, the large payload stands out to me. Will have to dig in a bit more. |
Hi. This is still an issue. Thank you, @ckotzbauer, for making the reproducible repo. @haydentherapper The large payload seems typical for what I've been doing. I may be doing it wrong but I've been generally following standard advice. I will appreciate any help. |
I have no idea yet why this would happen but I can confirm that https://github.com/jku/test-cosign-verify-hang/actions/runs/9204640839/job/25318590422 EDIT: As far as I can tell it's literally the |
We're likely hitting this: actions/runner#1031: the github runner is processing the line trying to find leaked secrets etc. |
As a workaround for folks affected: Here's a version of @ckotzbauer's workflow that runs in 4 seconds:
|
@jku Thanks for the workaround and some further analysis, much appreciated! 🎉 |
@jku Thank you so much. I did not even think of that being an issue. I hope GitHub fixes that. Meanwhile, I'll use the work around. |
Description
I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.
I'm using syft for SBOM generation and right now using a practically empty Dockerfile.
Version
cosign: v2.2.3
syft: v1.0.1
These are the logs from an example run.
logs_21813240831.zip
The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml
The text was updated successfully, but these errors were encountered: