Open dgolovin opened 1 month ago
@ashley-cui @mheon PTAL
Looking at the github action setup it seems they have a vary obvious TOCTOU race regarding the artifact uploads. Because the several installers run in parallel they seems to download shasum file than append their new sums for the new files and then again upload it. If two tasks do this in parallel it can never work reliably.
Manually updated the 5.1.0 shasum. I'll take this issue to update and fold all the upload actions into one, so we don't have this race.
A friendly reminder that this issue had no activity for 30 days.
Issue Description
Cannot verify SHA digest after downloading packages for macOS from podman 5.1.0 release.
Steps to reproduce the issue
Steps to reproduce the issue:
Describe the results you received
Describe the results you received
Describe the results you expected
All installable files have SHA digest in shasums file
podman info output
Podman in a container
No
Privileged Or Rootless
None
Upstream Latest Release
Yes
Additional environment details
Github PR verification fails. See example here https://github.com/containers/podman-desktop/actions/runs/9355240785/job/25752785186
Blocks https://github.com/containers/podman-desktop/issues/7373
Additional information
Additional information like issue happens only occasionally or issue happens with a particular architecture or on a particular setting