search

Homebrew / actions

🚀 Homebrew's GitHub Actions
BSD 2-Clause "Simplified" License
118 stars 39 forks source link

brew audit failure with latest action #535

Closed zosocanuck closed 4 months ago

zosocanuck commented 4 months ago

Hi,

I'm using the latest action as follows

steps:
      - name: Set up Homebrew
        id: set-up-homebrew
        uses: Homebrew/actions/setup-homebrew@master

However getting this error when running the audit with the latest version of brew (4.2.21):

2024-05-10T15:23:20.2032760Z shell: /bin/bash -e {0}
2024-05-10T15:23:20.2032970Z env:
2024-05-10T15:23:20.2033130Z   HOMEBREW_NO_INSTALL_FROM_API: 
2024-05-10T15:23:20.2033370Z ##[endgroup]
2024-05-10T15:23:20.7330260Z ==> Using Homebrew/homebrew-test-bot 0e9092b (Merge pull request #1058 from Homebrew/dependabot/bundler/sorbet-runtime-0.5.11371)
2024-05-10T15:23:20.7714670Z ==> Using Homebrew/brew 4.2.21-88-gf590dadbf2 (Merge pull request #17270 from Homebrew/fix_opoo_onoe_sigs)
2024-05-10T15:23:20.7797730Z ==> Using Homebrew/homebrew-core 9038b2b1e91 (Merge pull request #169764 from Homebrew/bump-renovate-37.318.0)
2024-05-10T15:23:20.7882790Z ==> Testing Venafi/homebrew-tap 3130fac (Merge 45651a7cbfa1f78ac870761016b6805ea94d2f13 into d7e82a0ee0660f7e12ce2001d34bc6bcac5ac5fc):
2024-05-10T15:23:20.7888510Z 
2024-05-10T15:23:20.7888810Z ==> Running TapSyntax#run!
2024-05-10T15:23:20.7889480Z ==> brew style venafi/tap
2024-05-10T15:23:23.4138990Z ==> brew readall --aliases --os=all --arch=all venafi/tap
2024-05-10T15:23:23.7967500Z ==> brew audit --except=installed --tap=venafi/tap
2024-05-10T15:23:25.0788220Z ==> FAILED
2024-05-10T15:23:25.0790920Z ##[group]Full audit --except=installed --tap=venafi/tap output
2024-05-10T15:23:25.0791290Z venafi/tap/sigscan
2024-05-10T15:23:25.0791530Z   * Stable: Checksum is missing
2024-05-10T15:23:25.0791900Z   * Stable: version 0.3.0 is redundant with version scanned from URL
2024-05-10T15:23:25.0792260Z venafi/tap/vsign
2024-05-10T15:23:25.0792480Z   * Stable: Checksum is missing
2024-05-10T15:23:25.0792830Z   * Stable: version 1.0.2 is redundant with version scanned from URL
2024-05-10T15:23:25.0809330Z ##[error]4 problems in 2 formulae detected.
2024-05-10T15:23:25.0814130Z Error: 4 problems in 2 formulae detected.
2024-05-10T15:23:25.0817940Z ##[error]Stable: Checksum is missing
2024-05-10T15:23:25.0819280Z ##[error]Stable: version 0.3.0 is redundant with version scanned from URL
2024-05-10T15:23:25.0820350Z ##[error]Stable: Checksum is missing
2024-05-10T15:23:25.0821510Z ##[error]Stable: version 1.0.2 is redundant with version scanned from URL
2024-05-10T15:23:25.0822360Z ##[endgroup]
2024-05-10T15:23:25.0822550Z Error: 1 failed step!
2024-05-10T15:23:25.0822840Z brew audit --except=installed --tap=venafi/tap
2024-05-10T15:23:25.0829240Z ##[error]Process completed with exit code 1.

We did this previously with an older version of brew (4.2.18) with no issues:

2024-04-15T14:30:25.3178360Z shell: /bin/bash -e {0}
2024-04-15T14:30:25.3178780Z env:
2024-04-15T14:30:25.3179270Z   HOMEBREW_NO_INSTALL_FROM_API: 
2024-04-15T14:30:25.3179770Z ##[endgroup]
2024-04-15T14:30:26.5478840Z ==> Using Homebrew/homebrew-test-bot 07bf6a4 (Merge pull request #1037 from Moisan/pin_setup-ruby)
2024-04-15T14:30:26.6179400Z ==> Using Homebrew/brew 4.2.18-15-g40d2f5c23a (Merge pull request #17087 from cho-m/keg-python2.7-refs-deprecate)
2024-04-15T14:30:26.6365860Z ==> Using Homebrew/homebrew-core de45c571dd4 (Merge pull request #168204 from Homebrew/otf2-six)
2024-04-15T14:30:26.6543340Z ==> Testing Venafi/homebrew-tap d8664a5 (Merge c0e46aae36bb3baef53652b51b8a746050309399 into a14fdede510ceee91b05246cc524398022e09c0b):
2024-04-15T14:30:26.6610380Z 
2024-04-15T14:30:26.6612010Z ==> Running TapSyntax#run!
2024-04-15T14:30:26.6615730Z ==> brew style venafi/tap
2024-04-15T14:30:32.8225270Z ==> brew readall --aliases --os=all --arch=all venafi/tap
2024-04-15T14:30:33.6332930Z ==> brew audit --except=installed --tap=venafi/tap
2024-04-15T14:30:36.9477570Z All steps passed!

Any ideas?

woodruffw commented 4 months ago

From a quick look, it seems like the audits just became stricter, and the formulae in your tap are now failing them.

For example, your sigscan formula doesn't appear to list a top-level source checksum:

  desc "Inspect container images and other artifacts for signatures"
  homepage "https://github.com/venafi/sigscan"
  url "https://github.com/venafi/sigscan/archive/refs/tags/v0.3.0.tar.gz"
  version "0.3.0"
  license "Apache-2.0"
  head "https://github.com/venafi/sigscan.git", tag: "v0.3.0"

(and the other audit complaint is that the version is redundant with the version in the url, so you can just remove that line.)

I think your options here are either to ignore these audit failures or fix them.

Bo98 commented 4 months ago

Not entirely sure why the behaviour changed as it shouldn't have. But in any case, the buggy behaviour is the old version of Homebrew rather than the new one.