Open mvorisek opened 8 months ago
thomasrockhu-codecov
commented
8 months ago @mvorisek yeah I noticed this. I'm not sure why there's a difference between running gpgv versus gpg -v for this which would NOT show this warning, but there is this issue. I have confirmed with our security team that the security key is in fact correct and the warning is not showing something malicious.
I will continue to look into this so that the warning is properly removed.
mvorisek
commented
8 months ago Here https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L135 is a repro if it helps. Also notice, we use custom Alpine container image https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L14.
Based on the likes it seems many people are affected.
The solution should be probably https://superuser.com/questions/1435147/how-to-suppress-warning-this-key-is-not-certified-with-a-trusted-signature#1435150, ie. gpg --lsign-key "xxx" as mentioned also in https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key#1150984
mvorisek
commented
7 months ago @thomasrockhu-codecov is there any progress on this issue?
thomasrockhu-codecov
commented
7 months ago @mvorisek I've been digging into this for a bit now. I don't think that adding gpg --lsign-key is what should be done.
The warning message implies that the key has not been signed by the user
it likely means we haven't signed the public key of the signature-maker.
This means that you, the user, have not indicated you trust the key. As a result, unless you actually import the key and sign it yourself, we will not be able to do anything about the warning.
As it is, the warning is just that, a warning, as the key is hard coded into the codebase.
mvorisek
commented
7 months ago @thomasrockhu-codecov please kindly reopen this issue, we use fail_ci_if_error: true and it currently fails our CI - so it is not a warning, it is an error which prevents us to upgrade to v4 (introduced in https://github.com/codecov/codecov-action/pull/1218).
thomasrockhu-codecov
commented
7 months ago @mvorisek oh! sorry I didn't realize that would happen. Let me dig in a little more then.
thomasrockhu-codecov
commented
7 months ago @mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after create-commit. Doing a quick search shows this could be related to glibc (see this issue).
mvorisek
commented
7 months ago @mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after
create-commit. Doing a quick search shows this could be related toglibc(see this issue).
👍
here is a minimal repro using GH Actions:
on:
push:
jobs:
ci:
container:
image: alpine
steps:
- name: Store coverage
run: |
# store coverage/merged.xml file here
- name: Upload coverage logs
uses: codecov/codecov-action@v4
with:
token: ${{ secrets.CODECOV_TOKEN }}
fail_ci_if_error: true
files: coverage/merged.xml with local Docker and alpine base image should should be simple to reproduce the issue.
Does Codecov bundle some lib linked againts glibc? I use Alpine quite a lot and I would be surprised if native Alpine git lib would be this broken.
drazisil-codecov
commented
7 months ago Alpine doesn't use glibc, it uses musl, which is not the same. Could be that.
mvorisek
commented
7 months ago Yes. My concern is what package causes that issue, dist/codecov? Is that some precompiled codecov binary?
drazisil-codecov
commented
7 months ago action@v4 uses https://github.com/codecov/codecov-cli.
Specifically, https://github.com/codecov/codecov-action/blob/8be6ba57821f458c7d51e7f82129ac29316c2ea1/src/helpers.ts#L54-L56
I think we use pyinstaller.
psychobolt
commented
6 months ago Works now on c16abc29c95fcf9174b58eb7e1abf4c866893bc8
- use: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # 4.1.1
# ...
hellwolf
commented
6 months ago ours fails after upgrading to 4.2.0 https://github.com/superfluid-finance/protocol-monorepo/actions/runs/8606474561/job/23586919598
(we were upgrading it to fix the previous failure.)
Frustratingly, we can't find a config now that works.
mvorisek
commented
6 months ago We had to stick to v3 which uses deprecated Node 18.
Someone from Codecov should look into it as it affects a lot of users based on the votes count and the fact Alpine is very popular. The repro should be easy, use this plugin on Github workflow using alpine:latest image.
thomasrockhu-codecov
commented
5 months ago @mvorisek I have made an underlying change to the action and in setting fail_ci_if_error to true should not break. Would you mind trying the latest v4 and seeing if this works for you.
mvorisek
commented
5 months ago Unfortunately, there is still some issue: https://github.com/atk4/core/actions/runs/9093675020/job/24993133255?pr=411#step:11:30.
thomasrockhu-codecov
commented
5 months ago @mvorisek ahhh, this is a different issue. what OS is your runner using? You may need to specify a different OS for the action
with:
token: ***
fail_ci_if_error: true
files: coverage/merged.xml
os: alpineI am running on Alpine. If there needs to be some different binary uploaded, I belive the detection should be done on runtime by the GH action itself.
thomasrockhu-codecov
commented
5 months ago @mvorisek you are correct, I have that on my list of things to do, but for now I just wanted you unblocked
gVg771
commented
3 months ago CI log:
1s Run codecov/codecov-action@v4 with: token: *** fail_ci_if_error: true files: coverage/merged.xml,coverage/js/clover.xml env: LOG_COVERAGE: 1 /usr/bin/docker exec fd8d6bfcab9afaaaefd7cb1c23b43d13cb5c46fd29b243c01cf76d86136bb29f sh -c "cat /etc/*release | grep ^ID" ==> linux OS detected https://cli.codecov.io/latest/linux/codecov.SHA256SUM ==> Running version latest gpg: directory '/github/home/.gnupg' created gpg: /github/home/.gnupg/trustdb.gpg: trustdb created gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" imported gpg: Total number processed: 1 gpg: imported: 1 gpg: Signature made Fri Feb 2 14:15:33 2024 UTC gpg: using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869 gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <security@codecov.io>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C 62FF 806B B28A ED77 9869 ==> Running version v0.4.6 ==> Running command '/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit' /__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit -C 864df81d007f7cd8a0fea2e9495d14fd4563f03e -Z Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcat_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __snprintf_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vfprintf_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __realpath_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strdup: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __memcpy_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vsnprintf_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcpy_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fread_chk: symbol not found Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fprintf_chk: symbol not foundv3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.
CI log:
v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.