Open NithyaThiraviaRaj opened 3 months ago
GH_HOST
is for self hosted GitHub enterprise servers. You shouldn't need it for private repos hosted on github.com.
I'm not sure if that's the specific problem here, but it may help to remove.
You should be able to see the JSON output from scorecard in the details, does it look like Scorecard ran successfully?
@spencerschrock Sorry my bad. Yes, it is an enterprise server so I need GH_HOST (without this scorecard was pointing to github.com rather than our org url ). Yes, look likes scorecard ran successfully but at last I'm getting error as below
Using payload from: results.json Generating ephemeral keys... Retrieving signed certificate... 2024/04/12 13:46:54 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}" 2024/04/12 13:46:54 retrying in 1s... Using payload from: results.json Generating ephemeral keys... Retrieving signed certificate... 2024/04/12 13:46:55 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}" 2024/04/12 13:46:55 retrying in 3s... Using payload from: results.json Generating ephemeral keys... Retrieving signed certificate... 2024/04/12 13:46:58 error signing scorecard results: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}" 2024/04/12 13:46:58 retrying in 10s... 2024/04/12 13:47:08 error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}"
I don't think Fulcio supports enterprise servers. https://github.com/sigstore/fulcio/issues/1022#issuecomment-1446540849
You can always turn publish_results: false
so the action succeeds, but you won't be able to publish scores to our API.
@spencerschrock , thanks for your input. My GitHub action is successful if I set publish_results: false.
When you say I can't publish score, what that actually means ? am I not allowed to upload artifact or upload to code scanning ? Could you please tell me how could I view my score ?
Sorry for any confusion. You can still upload the results an artifact or to the code scanning dashboard.
publish_results
is our configuration flag which would send the results to our API for everyone to see at api.scorecard.dev, which is the only part that is unavailable to you with an enterprise server
When I try to upload artifact,
name: "Upload artifact" uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif retention-days: 5
I'm getting below error
Error: @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES.
any alternative ?
Can you try an older version of upload-artifact
?
Such as
uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
For reference there was some discussion here about it
@spencerschrock , Thanks a lot for your input I could able to upload the artifact successfully using upload-artifact.
Next, when I tried to upload it to Code Scanning, I got an error saying
Error: An action could not be found at the URI 'https://
Please Note: I couldn't see Code scanning Option under Security tab in GitHub. I created a stackoverflow question for the same (https://stackoverflow.com/questions/78308703/github-code-scanning-section-not-available-under-security-tab-code-security). Is it because, it is disabled from the Organisation's Enterprise owners ? or not available for GHES ?
I believe that could be the reason why I'm encountering an error when attempting to upload to code scanning.
This is what I tried :
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10
with:
sarif_file: results.sarif
@spencerschrock , is code scanning is not available for GHES or it need any additional subscription ?
I'm not 100% certain, as I've only used the GitHub hosted version. GitHub's documentation seems to say it's supported with an additional subscription / $$$.
GitHub Advanced Security is available for enterprise accounts on GitHub Enterprise Cloud and GitHub Enterprise Server
I tried to integrate Open SSF Scorecard to my Organisation private repository but getting signing error
Steps to Replicate the issue:
Now while running the GitHub actions I'm getting following error
error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{\"code\":3, \"message\":\"There was an error processing the identity token\", \"details\":[]}"
ossf/scorecard-action - v2.3.1