Fails without helpful guidance

[oliversalzburg]

In one of my pipelines the attestation fails with the output:

 Error: Failed to persist attestation: Server Error - https://docs.github.com/rest/repos/repos#create-an-attestation

The link leads to a documentation page that seems to relate to completely different information.

When the attestation process fails, it would be helpful to get better guidance.

[phillmv]

Hello & thanks for reaching out :). We've actually been monitoring these failures over the past couple of days, so it's great to communicate directly.

We're working on addressing this (friendlier errors, fixing the docs link, having the API not error out 😅) but in the meantime… the issue is the default SBOM being generated for your dockerfile is larger than we envisioned supporting 🤦‍♀️.

To be clear, this is a failure on our side; you're even using the action we recommended in our docs/blog post.

But while we figure out how to best support this, our recommendation is to try to find a way to generate an SBOM that meets your needs but encodes less redundant information. (Or even… compressing the sbom before trying to attest it? 🤔 We haven't tried that yet)

Thanks for trying our feature out! We're sorry you ran into these errors, but at least it's helped us uncover these limitations.

[oliversalzburg]

in the meantime… the issue is the default SBOM being generated for your dockerfile is larger than we envisioned supporting

Thank you, that was actually also my suspicion. I then figured that having an SBOM this large is maybe an error on my part, and I started to trim down the complexity of the image, which resolved the problem for me.

I was just trying to get an all around better understanding of SBOM and attestation features. I have no immediate use case that I'm trying to support, other than creating building blocks for future requirements.

Thanks for the great response :)