search

skx / rss2email

Convert RSS feeds to emails
GNU General Public License v2.0
111 stars 19 forks source link

Wrongly pull image with tag `:master` #136

Closed StayPirate closed 4 months ago

StayPirate commented 5 months ago

Don't know why, but if I try to pull the latest container image tagged master, then I got an image with sha256:6d484a6467ee134caba0781fc64a9938a02481c035f11561644357477f7fa62a. While the latest one has sha256:9261368e54b6019dd7ed2da5334747361c4db18617f9b65072a17a3d01a75703.

I tried from two different systems and the behavior is the same. I don't have any local cache/proxy configuration which could interfere. I start thinking that the issue could be somehow related to the GH registry or this repo configuration.

❯ podman image pull ghcr.io/skx/rss2email:master
Trying to pull ghcr.io/skx/rss2email:master...
Getting image source signatures
Copying blob 4f4fb700ef54 skipped: already exists
Copying blob 3a46a8db05a7 done   |
Copying blob 162238cd9b97 done   |
Copying blob d25f557d7f31 done   |
Copying config 6d484a6467 done   |
Writing manifest to image destination
6d484a6467ee134caba0781fc64a9938a02481c035f11561644357477f7fa62a

Could you try to pull the ghcr.io/skx/rss2email:master and let me know what do you get?

StayPirate commented 5 months ago

Moreover, if I run rss2email version I get release-3.2... even though I think it's actually version 3.3 or 3.3.1. I say that because after I set LOG_LEVEL=ERROR all the WARN messages are disappeared.

I'm not sure if that's a separated/different problem or if it's related.

skx commented 5 months ago

I pulled:

% docker pull ghcr.io/skx/rss2email:master       
master: Pulling from skx/rss2email
94747bd81234: Already exists 
5133864669b5: Pull complete 
9421e01b2830: Pull complete 
4f4fb700ef54: Pull complete 
Digest: sha256:9261368e54b6019dd7ed2da5334747361c4db18617f9b65072a17a3d01a75703
Status: Downloaded newer image for ghcr.io/skx/rss2email:master
ghcr.io/skx/rss2email:master

Then ran:

% docker run ghcr.io/skx/rss2email:master version                                           
release-3.2

That's strange. I've mostly ignored the images on the ECR, just building locally, but it looks like some kinda timewarp going on. I wonder if different runs of the action have built old version - or if we've been failing to upload and the release-3.2 is the last one that successfully managed to get pushed?

(I do remember seeing some "warnings" about attestation, or signing, but I didn't look at them too closely)

StayPirate commented 5 months ago

Good to see that you can pull the right image. I even tried to pull it from my 4G phone connection, same result. Maybe I just need to wait some hours... just in case this has something to do with the CDN I hit from Italy.

I don't know how rss2email version subcommand works, but I noticed that both tags release-3.3.1 and release-3.2 point to the same commit (current HEAD). Maybe that's the problem.

* 5e1dec6 (HEAD -> master, tag: release-3.3.1, tag: release-3.2, origin/master, origin/HEAD) Fixed empty log-level error 2 days ago

skx commented 5 months ago

I might have screwed up the tagging of course :/

3.3.1 was made about two minutes after 3.3, because I had the default case of an empty "LOG_LEVEL" environmental variable showing a fatal error - which was a stupid change I should have tested.

I could make a new release and see what happens? I guess that's easy to do - though I'll check the logs first (this evening, probably, if not tomorrow).

skx commented 5 months ago

So I see there is a log of the Docker actions here:

Looking over it some of the builds work, and some have failed. The failing builds seem to be failing at the "signing" step, for reasons I don't fully understand:

Error: signing [ghcr.io/skx/rss2email:master@sha256:02010febbbe19cc48ca93ef2acbb00d5451aec49f3b5ef3c3b584823cc330757]: getting signer: getting key from Fulcio: getting CTFE public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key

I picked the most recent build and clicked "Rerun failed action", and in the logfile I see the following:

..
build-args: VERSION=release-3.2
..

I wonder if this is being caused by a cache. To investigate I'll do two things:

That won't take care of the failed sign, but it won't do any harm (except a slightly longer build).

StayPirate commented 5 months ago

build-args: VERSION=release-3.2

I don't think this is a GH cache issue, but an issue with tags in this repo.

❯ git clone git@github.com:skx/rss2email.git
❯ cd rss2email
❯ git describe --tags
release-3.2
❯ g show HEAD
commit 5e1dec61b637a8418d2844040e7dc9870133feb5 (HEAD -> master, tag: release-3.3.1, tag: release-3.2, origin/master, origin/HEAD)

I think that if you remove the release-3.2 and only leave the release-3.3.1 tag, then the build-args issue should be fixed.

I've no idea about the image signing failed phase... that really seems a problem related with GHCR.

skx commented 5 months ago

Tag deleted now ..

skx commented 4 months ago

With the tag deleted everythign is back to normal.

Pulling:

% docker pull ghcr.io/skx/rss2email:master
master: Pulling from skx/rss2email
94747bd81234: Already exists 
dbc2cad40ce5: Pull complete 
199d90be141c: Pull complete 
4f4fb700ef54: Pull complete 
Digest: sha256:4aa4f9cbf5c6b3e2bc209190de15bf809c6f3290ab85e673035efa1643e2ccdb
Status: Downloaded newer image for ghcr.io/skx/rss2email:master
ghcr.io/skx/rss2email:master

What's Next?
  View a summary of image vulnerabilities and recommendations → docker scout quickview ghcr.io/skx/rss2email:master

Verifying:

% docker run ghcr.io/skx/rss2email:master version
release-3.3.1