Open mvorisek opened 8 months ago
@mvorisek yeah I noticed this. I'm not sure why there's a difference between running gpgv
versus gpg -v
for this which would NOT show this warning, but there is this issue. I have confirmed with our security team that the security key is in fact correct and the warning is not showing something malicious.
I will continue to look into this so that the warning is properly removed.
Here https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L135 is a repro if it helps. Also notice, we use custom Alpine container image https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L14.
Based on the likes it seems many people are affected.
The solution should be probably https://superuser.com/questions/1435147/how-to-suppress-warning-this-key-is-not-certified-with-a-trusted-signature#1435150, ie. gpg --lsign-key "xxx"
as mentioned also in https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key#1150984
@thomasrockhu-codecov is there any progress on this issue?
@mvorisek I've been digging into this for a bit now. I don't think that adding gpg --lsign-key
is what should be done.
The warning message implies that the key has not been signed by the user
it likely means we haven't signed the public key of the signature-maker.
This means that you, the user, have not indicated you trust the key. As a result, unless you actually import the key and sign it yourself, we will not be able to do anything about the warning.
As it is, the warning is just that, a warning, as the key is hard coded into the codebase.
@thomasrockhu-codecov please kindly reopen this issue, we use fail_ci_if_error: true
and it currently fails our CI - so it is not a warning, it is an error which prevents us to upgrade to v4 (introduced in https://github.com/codecov/codecov-action/pull/1218).
@mvorisek oh! sorry I didn't realize that would happen. Let me dig in a little more then.
@mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after create-commit
. Doing a quick search shows this could be related to glibc
(see this issue).
@mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after
create-commit
. Doing a quick search shows this could be related toglibc
(see this issue).
👍
here is a minimal repro using GH Actions:
on:
push:
jobs:
ci:
container:
image: alpine
steps:
- name: Store coverage
run: |
# store coverage/merged.xml file here
- name: Upload coverage logs
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
files: coverage/merged.xml
with local Docker and alpine
base image should should be simple to reproduce the issue.
Does Codecov bundle some lib linked againts glibc
? I use Alpine quite a lot and I would be surprised if native Alpine git lib would be this broken.
Alpine doesn't use glibc, it uses musl, which is not the same. Could be that.
Yes. My concern is what package causes that issue, dist/codecov
? Is that some precompiled codecov binary?
action@v4 uses https://github.com/codecov/codecov-cli.
Specifically, https://github.com/codecov/codecov-action/blob/8be6ba57821f458c7d51e7f82129ac29316c2ea1/src/helpers.ts#L54-L56
I think we use pyinstaller.
Works now on c16abc29c95fcf9174b58eb7e1abf4c866893bc8
- use: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # 4.1.1
# ...
ours fails after upgrading to 4.2.0 https://github.com/superfluid-finance/protocol-monorepo/actions/runs/8606474561/job/23586919598
(we were upgrading it to fix the previous failure.)
Frustratingly, we can't find a config now that works.
We had to stick to v3
which uses deprecated Node 18.
Someone from Codecov should look into it as it affects a lot of users based on the votes count and the fact Alpine is very popular. The repro should be easy, use this plugin on Github workflow using alpine:latest
image.
@mvorisek I have made an underlying change to the action and in setting fail_ci_if_error
to true
should not break. Would you mind trying the latest v4
and seeing if this works for you.
Unfortunately, there is still some issue: https://github.com/atk4/core/actions/runs/9093675020/job/24993133255?pr=411#step:11:30.
@mvorisek ahhh, this is a different issue. what OS is your runner using? You may need to specify a different OS for the action
with:
token: ***
fail_ci_if_error: true
files: coverage/merged.xml
os: alpine
I am running on Alpine. If there needs to be some different binary uploaded, I belive the detection should be done on runtime by the GH action itself.
@mvorisek you are correct, I have that on my list of things to do, but for now I just wanted you unblocked
CI log:
1s Run codecov/codecov-action@v4 with: token: *** fail_ci_if_error: true files: coverage/merged.xml,coverage/js/clover.xml env: LOG_COVERAGE: 1 /usr/bin/docker exec fd8d6bfcab9afaaaefd7cb1c23b43d13cb5c46fd29b243c01cf76d86136bb29f sh -c "cat /etc/*release | grep ^ID" ==> linux OS detected https://cli.codecov.io/latest/linux/codecov.SHA256SUM ==> Running version latest gpg: directory '/github/home/.gnupg' created gpg: /github/home/.gnupg/trustdb.gpg: trustdb created gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Signature made Fri Feb 2 14:15:33 2024 UTC gpg: using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869 gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869 ==> Running version v0.4.6 ==> Running command '/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit' /__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit -C 864df81d007f7cd8a0fea2e9495d14fd4563f03e -Z Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcat_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __snprintf_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vfprintf_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __realpath_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strdup: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __memcpy_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vsnprintf_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcpy_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fread_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fprintf_chk: symbol not found
v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.
CI log:
v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.