-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scorecard action v2.0.0 fails with 500 Internal Server Error #910
Comments
Hi @irongut please see https://github.com/ossf/scorecard-action#breaking-changes-in-v2. Since we use GitHub's OIDC token to ensure workflow integrity we only allow specific steps in the same job as the scorecard-action. The lines causing the failure in your case are here: https://github.com/irongut/EditRelease/blob/master/.github/workflows/openssf-scorecards.yml#L27-L30. You'll have to either: (i) specify that step in a separate job or (ii) set |
That step can't run in a separate job, it is a security agent that protects against several supply chain attack vectors and needs to run in the job that it is being protected. So what you're telling me is that OpenSSF Scorecards won't work with StepSecurity's Harden Runner security agent? Scorecards suggests StepSecurity Harden Workflows, which adds Harden Runner automatically, as remediation for several issues. So on the one hand you recommend StepSecurity but on the other hand your tools are not actually compatible. This makes OpenSSF Scorecards no longer usable because it reduces supply chain security. (at least if you wanted a badge) |
@laurentsimon @asraa could we do away with workflow verification altogether to make this more flexible? One idea is to make the API We'll also need to separately verify if the workflow which signed the payload is the one making the POST API call. For this, we send the OIDC JWT in the POST payload and verify it's the same token used to sign the payload. Wdyt? |
We can't bake in an API key: the binary will contain it and anyone will be able to extract it. @irongut we recommend using the web UI to remediation, we never ask to use the hardened runner. Can you point to the documentation that recommends installing the hardened runner? |
I have added an exception for |
This still seems to be problematic for me. Got here as I am finally getting around to investigating why the v2 action was not working for me. After going through and adding the id-token: write perms, it still did not appear to be working. At this point, I've also commented out the harden-runner but am still getting the 500 error. Here's the run: https://github.com/jauderho/ghafiles/actions/runs/3715223655/jobs/6300125369#step:4:1156 Any ideas would be appreciated. Error message is |
Thanks for the report. This is a bug in our implementation https://github.com/ossf/scorecard-webapp/blob/main/app/server/verify_workflow.go#L94 |
FWIW, |
I know! We just need to keep our list updated, because we can't dynamically infer what ubuntu-latest point to, AFAIK. But if you now how to reliably do that, please let us know. |
Unfortunately, no. I do not like guessing what -latest points to either which is why I prefer to point to an explicit Ubuntu version. |
@jauderho I've applied the changes. Can you verify that it works with your setup? |
still not working in my test. Need to dig further |
working in my test now https://github.com/laurentsimon/scorecard-action-test-3/actions/runs/3733808955/jobs/6335072541. Closing this issue. Re-open if it still triggers on your end. Thanks! |
The Scorecard Action fails for one of my projects with
500 Internal Sever Error
after what apppears to be a successful scan. This has been happening since I upgraded to v2.0.0 yesterday, prior to that scans were working.Project: irongut/EditRelease
Workflow: openssf-scorecards.yml
Failing Run: https://github.com/irongut/EditRelease/runs/8286780953?check_suite_focus=true
The text was updated successfully, but these errors were encountered: