Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix not found error for attestation build summary URL #5365

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

kachick
Copy link

@kachick kachick commented Dec 26, 2024

image

image

image

When I used the https://github.com/rubygems/release-gem action with .github/workflows/release.yml, it displays the Build summary.

However it links to https://github.com/OWNER/REPO/actions/runs/.github/workflows/release.yml and displays Not Found error.
As far as I know, GitHub provides a list of workflow runs as https://github.com/OWNER/REPO/actions/workflows/release.yml.
Is this just a typo? Or github provides the runs link with several patterns?


@segiddins ref: #5330

I'm posting this PR instead of creating an issue, for sharing the related code. I'm okay for this closed anytime. 🙇‍♂️

@segiddins
Copy link
Member

Thanks, I will figure this out when I get back to work next week

Copy link

codecov bot commented Dec 29, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.26%. Comparing base (b093b95) to head (8981d71).
Report is 3 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #5365      +/-   ##
==========================================
- Coverage   97.06%   94.26%   -2.80%     
==========================================
  Files         451      451              
  Lines        9391     9451      +60     
==========================================
- Hits         9115     8909     -206     
- Misses        276      542     +266     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@kachick kachick force-pushed the fix-attestation-wrong-url branch from 969b4b6 to 90c5750 Compare December 29, 2024 12:03
@ashkulz
Copy link

ashkulz commented Jan 11, 2025

@segiddins any update? Just started using Trusted Publishing and felt that I had a bug at my end due to this 😅

@simi
Copy link
Member

simi commented Jan 11, 2025

Hello @kachick, if I understand it well, links are also swapped.

image

Link 1 should link to https://github.com/rubygems/gem_server_conformance/actions/workflows/push_gem.yml or maybe better to https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/workflow.

Link 2 should actually link to https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/attempts/1 (which is what Link 1 currently links to).

Does it make sense? Can you update your PR to fix this? I'm happy to review.

@simi
Copy link
Member

simi commented Jan 11, 2025

Also for commit link, what about to use rubygems/gem_server_conformance@416df38 instead of https://github.com/rubygems/gem_server_conformance/tree/416df386388f6bef0c1c5c474f51fb64753a2799? 🤔

@@ -29,7 +29,8 @@ def display_data # rubocop:disable Metrics/MethodLength
commit = extensions["1.3.6.1.4.1.57264.1.3"]
ref = extensions["1.3.6.1.4.1.57264.1.14"]
san = extensions["subjectAltName"]
build_file_url = extensions["1.3.6.1.4.1.57264.1.21"]
build_summary_url = extensions["1.3.6.1.4.1.57264.1.21"]
build_file_url = build_summary_url.sub(%r{attempts/\d+\z}, "workflow")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Considering the test data and resources, "1.3.6.1.4.1.57264.1.9" or "1.3.6.1.4.1.57264.1.18" might be reasonable for this purpose. However, I can't know the actual response for now. So, using the existing resource here.

"1.3.6.1.4.1.57264.1.9" =>
".Xhttps://github.com/sigstore/sigstore-ruby/.github/workflows/release.yml@refs/tags/v0.1.1",
"1.3.6.1.4.1.57264.1.10" =>
".(f106999a2210a9a17b32b172f95518859a85ffed",
"1.3.6.1.4.1.57264.1.11" =>
".githubHosted",
"1.3.6.1.4.1.57264.1.12" =>
".)https://github.com/sigstore/sigstore-ruby",
"1.3.6.1.4.1.57264.1.13" =>
".(f106999a2210a9a17b32b172f95518859a85ffed",
"1.3.6.1.4.1.57264.1.14" =>
"..refs/tags/v0.1.1",
"1.3.6.1.4.1.57264.1.15" =>
"..766398650",
"1.3.6.1.4.1.57264.1.16" =>
"..https://github.com/sigstore",
"1.3.6.1.4.1.57264.1.17" =>
"..71096353",
"1.3.6.1.4.1.57264.1.18" =>
".Xhttps://github.com/sigstore/sigstore-ruby/.github/workflows/release.yml@refs/tags/v0.1.1",

https://github.com/sigstore/fulcio/blob/86a028b47a5ad67acf78ab30f6a7939fbf3411b0/docs/oid-info.md?plain=1#L124-L166

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actual data from dump

attestation = Rubygem.find_by_name('gem_server_conformance').find_version_by_slug!('0.1.5').attestations.first

extensions = attestation.sigstore_bundle.leaf_certificate.openssl.extensions.to_h do |ext|
  [ext.oid, if (ext.oid =~ /\A1\.3\.6\.1\.4\.1\.57264\.1\.(\d+)\z/) && ::Regexp.last_match(1).to_i >= 8
              OpenSSL::ASN1.decode(ext.value_der).value
            else
              ext.value
            end]
end

extensions.slice("1.3.6.1.4.1.57264.1.9", "1.3.6.1.4.1.57264.1.18", "1.3.6.1.4.1.57264.1.21")
{"1.3.6.1.4.1.57264.1.9" =>
  "https://github.com/rubygems/gem_server_conformance/.github/workflows/push_gem.yml@refs/tags/v0.1.5",
 "1.3.6.1.4.1.57264.1.18" =>
  "https://github.com/rubygems/gem_server_conformance/.github/workflows/push_gem.yml@refs/tags/v0.1.5",
 "1.3.6.1.4.1.57264.1.21" =>
  "https://github.com/rubygems/gem_server_conformance/actions/runs/12419161302/attempts/1"}

9 and 18 returned URL will be a not found error in github.

@kachick
Copy link
Author

kachick commented Jan 12, 2025

Thanks for your reviewing!
I agree with your suggestions and updated this PR.

I have tried to check the actual behaviors in my local, however, the local environment does not display the Provenance section even though importing sqlbackup. Might it be redacting the attestations?

curl -OL https://s3-us-west-2.amazonaws.com/rubygems-dumps/production/public_postgresql/2025.01.06.21.21.01/public_postgresql.tar
./script/load-pg-dump -H 127.0.0.1 -d rubygems_development /tmp/tmp.sA8Ebb0Aqi/public_postgresql.tar

@simi
Copy link
Member

simi commented Jan 12, 2025

@kachick yes, it is redacted currently. I'll check if we can get some example one into seed simply.

Also rubygems/rubygems.org-db-backups#13 could help in the future.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

Successfully merging this pull request may close these issues.

4 participants