Alpine image not auto-detected on Action

[mvorisek]

CI log:

1s
Run codecov/codecov-action@v4
  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml,coverage/js/clover.xml
  env:
    LOG_COVERAGE: 1
/usr/bin/docker exec  fd8d6bfcab9afaaaefd7cb1c23b43d13cb5c46fd29b243c01cf76d86136bb29f sh -c "cat /etc/*release | grep ^ID"
==> linux OS detected
https://cli.codecov.io/latest/linux/codecov.SHA256SUM
==> Running version latest
gpg: directory '/github/home/.gnupg' created
gpg: /github/home/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Fri Feb  2 14:15:33 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869

==> Running version v0.4.6
==> Running command '/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit'
/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit -C 864df81d007f7cd8a0fea2e9495d14fd4563f03e -Z
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcat_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __snprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vfprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __realpath_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strdup: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __memcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vsnprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fread_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fprintf_chk: symbol not found

v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.

[thomasrockhu-codecov]

@mvorisek yeah I noticed this. I'm not sure why there's a difference between running gpgv versus gpg -v for this which would NOT show this warning, but there is this issue. I have confirmed with our security team that the security key is in fact correct and the warning is not showing something malicious.

I will continue to look into this so that the warning is properly removed.

[mvorisek]

Here https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L135 is a repro if it helps. Also notice, we use custom Alpine container image https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L14.

Based on the likes it seems many people are affected.

The solution should be probably https://superuser.com/questions/1435147/how-to-suppress-warning-this-key-is-not-certified-with-a-trusted-signature#1435150, ie. gpg --lsign-key "xxx" as mentioned also in https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key#1150984

[mvorisek]

@thomasrockhu-codecov is there any progress on this issue?

[thomasrockhu-codecov]

@mvorisek I've been digging into this for a bit now. I don't think that adding gpg --lsign-key is what should be done.

The warning message implies that the key has not been signed by the user

it likely means we haven't signed the public key of the signature-maker.

This means that you, the user, have not indicated you trust the key. As a result, unless you actually import the key and sign it yourself, we will not be able to do anything about the warning.

As it is, the warning is just that, a warning, as the key is hard coded into the codebase.

[mvorisek]

@thomasrockhu-codecov please kindly reopen this issue, we use fail_ci_if_error: true and it currently fails our CI - so it is not a warning, it is an error which prevents us to upgrade to v4 (introduced in #1218).

[thomasrockhu-codecov]

@mvorisek oh! sorry I didn't realize that would happen. Let me dig in a little more then.

[thomasrockhu-codecov]

@mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after create-commit. Doing a quick search shows this could be related to glibc (see this issue).

[mvorisek]

@mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after create-commit. Doing a quick search shows this could be related to glibc (see this issue).

👍

here is a minimal repro using GH Actions:

on:
  push:

jobs:
  ci:
    container:
      image: alpine
    steps:
      - name: Store coverage
        run: |
          # store coverage/merged.xml file here

      - name: Upload coverage logs
        uses: codecov/codecov-action@v4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: true
          files: coverage/merged.xml       

with local Docker and alpine base image should should be simple to reproduce the issue.

Does Codecov bundle some lib linked againts glibc? I use Alpine quite a lot and I would be surprised if native Alpine git lib would be this broken.

[drazisil-codecov]

Alpine doesn't use glibc, it uses musl, which is not the same. Could be that.

[mvorisek]

Yes. My concern is what package causes that issue, dist/codecov? Is that some precompiled codecov binary?

[drazisil-codecov]

action@v4 uses https://github.com/codecov/codecov-cli.

Specifically,

codecov-action/src/helpers.ts

Lines 54 to 56 in 8be6ba5

	const getBaseUrl = (platform: string, version: string): string => {
	return `https://cli.codecov.io/${version}/${platform}/${getUploaderName(platform)}`;
	};

I think we use pyinstaller.

[psychobolt]

Works now on c16abc2

- use: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # 4.1.1
  # ...

[hellwolf]

ours fails after upgrading to 4.2.0 https://github.com/superfluid-finance/protocol-monorepo/actions/runs/8606474561/job/23586919598

(we were upgrading it to fix the previous failure.)

Frustratingly, we can't find a config now that works.

[mvorisek]

We had to stick to v3 which uses deprecated Node 18.

Someone from Codecov should look into it as it affects a lot of users based on the votes count and the fact Alpine is very popular. The repro should be easy, use this plugin on Github workflow using alpine:latest image.

[thomasrockhu-codecov]

@mvorisek I have made an underlying change to the action and in setting fail_ci_if_error to true should not break. Would you mind trying the latest v4 and seeing if this works for you.

[mvorisek]

Unfortunately, there is still some issue: https://github.com/atk4/core/actions/runs/9093675020/job/24993133255?pr=411#step:11:30.

[thomasrockhu-codecov]

@mvorisek ahhh, this is a different issue. what OS is your runner using? You may need to specify a different OS for the action

  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml
    os: alpine

[mvorisek]

I am running on Alpine. If there needs to be some different binary uploaded, I belive the detection should be done on runtime by the GH action itself.

[thomasrockhu-codecov]

@mvorisek you are correct, I have that on my list of things to do, but for now I just wanted you unblocked

[gVg771]

CI log:

1s
Run codecov/codecov-action@v4
  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml,coverage/js/clover.xml
  env:
    LOG_COVERAGE: 1
/usr/bin/docker exec  fd8d6bfcab9afaaaefd7cb1c23b43d13cb5c46fd29b243c01cf76d86136bb29f sh -c "cat /etc/*release | grep ^ID"
==> linux OS detected
https://cli.codecov.io/latest/linux/codecov.SHA256SUM
==> Running version latest
gpg: directory '/github/home/.gnupg' created
gpg: /github/home/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Fri Feb  2 14:15:33 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869

==> Running version v0.4.6
==> Running command '/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit'
/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit -C 864df81d007f7cd8a0fea2e9495d14fd4563f03e -Z
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcat_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __snprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vfprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __realpath_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strdup: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __memcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vsnprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fread_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fprintf_chk: symbol not found

v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.