konstruktoid
commented
5 months ago Closed konstruktoid closed 5 months ago
konstruktoid
commented
5 months ago 
spencerschrock
commented
5 months ago Hmm, there seems to be a timing issue around new releases and when the dependency update tool (observed with both dependabot and Renovate) sends you a PR, vs when the GitHub APIs reflect the commit state.
If I run the commit analysis now, I'm getting all green checks.
spencerschrock
commented
5 months ago The timing has to do with limitations with how our webapp can check for "imposter" commits.
There was a ~15 hour gap between when the v3.25.2 release was cut (Apr 22 1:35 PM PDT) and the commit was merged back into main via a PR. You merged https://github.com/konstruktoid/ansible-role-docker-rootless/pull/342 in that window, so our detection was flawed.
The linked PR (https://github.com/ossf/scorecard-webapp/pull/608) will fix the issue from happening again after I deploy it to our webapp. No change is required on your end.
hogo6002
commented
1 month ago Hi @spencerschrock , we had a similar issue after the renovate bot updated actions/upload-artifact to commit ff15f03. I re-ran the failed task after one day, but it still shows the same error. Is it because the commit was merged into v3/node16 branch instead of main?
spencerschrock
commented
3 weeks ago Is it because the commit was merged into
v3/node16branch instead ofmain?
Yep. We are limited by the GitHub API for determining if a commit belongs to a repository. Our simplistic implementation currently only checks the main and v3/node20 branch for actions/upload-artifact. Of course the commit is perfectly safe in this case, our heuristic is just failing.
This issue pops up every now and again, and we usually just add a new branch to check instead of coming up with a better solution, but this is starting to become unwieldy.
In the short term, is there anything stopping you from moving to v4.4.0? At the time, our v3/node20 support was to handle a GHES limitation. https://github.com/actions/starter-workflows/pull/2348#pullrequestreview-1955807660
hogo6002
commented
3 weeks ago In the short term, is there anything stopping you from moving to v4.4.0?
Updated the version to v4.4.0, it works for us. Thanks Spencer!
spencerschrock
commented
1 week ago I opened https://github.com/ossf/scorecard-webapp/pull/682 to hopefully fix this issue and prevent it in the future.
Multiple workflows fail due to
workflow verification failed: imposter commit, but the imposter commit does actually exist in the repository.imposter commit: 8f596b4ae3cb3c588a5c46780b86dd53fef16c52 does not belong to github/codeql-action/upload-sarif-> https://github.com/github/codeql-action/commit/8f596b4ae3cb3c588a5c46780b86dd53fef16c52https://github.com/konstruktoid/ansible-role-docker-rootless/actions/runs/8799059669/job/24147300773#step:6:1259 https://github.com/konstruktoid/ansible-role-hardening/actions/runs/8796978115/job/24140893877#step:6:1372 https://github.com/konstruktoid/ssh-moduli/actions/runs/8797089279/job/24141235664#step:6:1213