search

actions / attest-sbom

Action for generating SBOM attestations for workflow artifacts
MIT License
14 stars 4 forks source link

Error uploading artifact to container registry #55

Closed davidmytton closed 3 months ago

davidmytton commented 3 months ago

After successfully generating an SBOM and then attesting it, this action fails to upload the artifact with a generic error: Error uploading artifact to container registry

Here's the action log (IDs redacted):

Run actions/attest-sbom@v[1](https://github.com/x/x/actions/runs/X/job/X#step:19:1)
  with:
    subject-name: ghcr.io/x/x
    subject-digest: sha[2](https://github.com/x/x/actions/runs/x/job/x#step:19:2)56:x[3](https://github.com/x/x/actions/runs/x/job/x#step:19:3)x
    sbom-path: x.spdx.json
    push-to-registry: true
    github-token: ***
  env:
    ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Run actions/attest-sbom/predicate@53[4](https://github.com/x/x/actions/runs/x/job/x#step:19:4)x
  with:
    sbom-path: x.spdx.json
  env:
    ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json
Run actions/attest@49[5](https://github.com/x/x/actions/runs/x/job/x#step:19:5)x[6](https://github.com/x/x/actions/runs/x/job/x#step:19:6)7d
  with:
    subject-digest: sha256:x[7](https://github.com/x/x/actions/runs/x/job/x#step:19:7)x[8](https://github.com/x/x/actions/runs/x/job/x#step:19:8)x[9](https://github.com/x/x/actions/runs/x/job/x#step:19:9)x
    subject-name: ghcr.io/x/x
    predicate-type: https://spdx.dev/Document/v2.3
    predicate-path: /home/runner/work/_temp/lrJC03/predicate.json
    push-to-registry: true
    github-token: ***
  env:
    ANCHORE_SBOM_ACTION_PRIOR_ARTIFACT: x_latest.spdx.json

Attestation created for ghcr.io/x/x@sha256:b[10](https://github.com/x/x/actions/runs/x/job/x#step:19:11)x
Attestation signed using certificate from GitHub Sigstore instance
Attestation uploaded to repository
https://github.com/x/x/attestations/793731
Error: Error uploading artifact to container registry

I can view the attestation from the web UI and the image has been published to the registry. The attestation is not linked, but I can download it from the workflow summary.

bdehamer commented 3 months ago

Do you have the packages: write permission set for your workflow? This is necessary to push the attestation to the registry.

davidmytton commented 3 months ago

Yeah I have packages: write

bdehamer commented 3 months ago

Enabling step debug logging may give us some additional information about what is failing here.

My guess is that the attest action is not able to locate the image with the specified name/digest and is failing when trying to make the association in the registry.

bdehamer commented 3 months ago

@davidmytton any luck with this? We've released a new version of the action with some improvements which may solve the issue you were having pushing the attestation to the GHCR registry. Going to close this issue, but feel free to re-open if you continue to experience problems.