-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] Generic generator: provenance filename includes subject's subdirectory #1225
Comments
@ianlewis @laurentsimon do you think we should clarify document here and punt to the next release or try to get in for this one? |
I think we can fix it for the next release unless we think it has security implications. |
Pushing a PR |
Thanks. This also seems to affect the Go builder: #1226 (comment) We'll need to do a separate PR for that. |
Currently there is only one provenance file written for multiple subjects so the default is to call it |
#1226 fixes the generic workflow, but fixing Go workflow is still outstanding. |
Actually, I'll close this as fixed in #1226 and create a new issue for the Go workflow. |
Describe the bug
If a subject is created within a subdirectory (i.e.
./target/foo.jar
) and hashes computed and stored from the root, the provenance generator attempts to create the provenance as./target/foo.jar.intoto.jsonl
, which fails since./target
no longer exists in the provenance job.To Reproduce
See workflow: https://github.com/pnacht/jackson-core/blob/d6d0af665a0c9d842b07e4468a75d2b59828df99/.github/workflows/main.yml
And failed job: https://github.com/pnacht/jackson-core/actions/runs/3431333783/jobs/5720700225
It successfully builds
./target/jackson-core-2.14.0-SNAPSHOT.jar
but then the provenance job throws:Expected behavior
The provenance should be generated successfully.
Additional context
@asraa suggested I generate the hashes within
./target
instead of the root. I will try this later.The text was updated successfully, but these errors were encountered: