New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cosign verify-attestation
hangs indefinitely in GitHub Actions
#3602
Comments
This sounds like a one-off GHA failure, is it still occurring? |
I can confirm the same behaviour in one of my actions. |
Without logs, I'm unable to reproduce this. |
I create a repro build and share it here. |
I created a simple reproduction repository and the workflow hung on the first execution: https://github.com/ckotzbauer/verify-attestation-repro/actions/runs/9044178111/job/24852568726 Between line 32 and 33/34 it took about 8 minutes. |
Description
I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.
I'm using syft for SBOM generation and right now using a practically empty Dockerfile.
Version
cosign: v2.2.3
syft: v1.0.1
These are the logs from an example run.
logs_21813240831.zip
The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml
The text was updated successfully, but these errors were encountered: