Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to upload workflow asset with default name when run in matrix #467

Closed
PipeItToDevNull opened this issue May 21, 2024 · 6 comments
Closed

Comments

@PipeItToDevNull
Copy link

PipeItToDevNull commented May 21, 2024

When running this action in a matrix build (and possibly other contexts) without specifying an artifact-name, this action will fail due to an attempt to upload identically named artifacts, which is no longer allowed with the new artifact APIs.

A workaround is to use some element of the matrix as part of the artifact name as can be seen in the tests here.

It would be ideal to somehow detect when being run in a matrix and use the current values as further discriminator of the automatic artifact and asset names. However it's unclear if this information is available. In fact, it seems the job name doesn't even show this information. A sample run with the context debug output only seems to include:

  ##[debug]  "eventName": "pull_request",
  ##[debug]  "sha": "43601d431a78c9adf6ce3312d4881fd4f5d6a043",
  ##[debug]  "ref": "refs/pull/465/merge",
  ##[debug]  "workflow": "build-test",
  ##[debug]  "action": "__self",
  ##[debug]  "actor": "theuser",
  ##[debug]  "job": "test-on-fixture-dirs",
  ##[debug]  "runNumber": 1018,
  ##[debug]  "runId": 9085449801,
  ##[debug]  "apiUrl": "https://api.github.com/",
  ##[debug]  "serverUrl": "https://github.com/",
  ##[debug]  "graphqlUrl": "https://api.github.com/graphql"

Note the job name of test-on-fixture-dirs, which shows in the UI as test-on-fixture-dirs (ubuntu-latest), but there does not appear to be the matrix os value of ubuntu-latest anywhere in the payload. More investigation is needed to determine if this can be obtained via API call or some other environment source. We should also explore other options such as using the dependency submission API as a location to store this information.

When downloading logs, there may be a line similar to this from an earlier step:

Complete job name: test-job (ubuntu-latest)

-------- Original report:

My flow has started to fail with no changes from me. It is complaining about a duplicate name (I build 2 container images from 2 branches)

SBOM scan completed in: 8.888s
------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-GE46vC/***-nginx-certbot.spdx.json
Error: Failed to CreateArtifact: Received non-retryable error: Failed request: (409) Conflict: an artifact with this name already exists on the workflow run
Post job cleanup.

I have attempted to add an id: ${{ env.BRANCH_NAME }} to make unique names but the above still occurs.

https://github.com/PipeItToDevNull/nginx-certbot/actions

@chris-j-major
Copy link

chris-j-major commented May 21, 2024

I also have a potentially similar problem on a private repo:

Run anchore/sbom-action@v0.16.0
------------------------------ Running SBOM Action -----------------------------
/usr/bin/sh /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c461dc -d -b /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c461dc_syft v1.4.1
[debug] checking github for release tag='v1.4.1' 
[debug] http_download(url=https://github.com/anchore/syft/releases/v1.4.1) 
[info] fetching release script for tag='v1.4.1' 
[debug] http_download(url=https://raw.githubusercontent.com/anchore/syft/v1.4.1/install.sh) 
[debug] checking github for release tag='v1.4.1' 
[debug] http_download(url=https://github.com/anchore/syft/releases/v1.4.1) 
[info] using release tag='v1.4.1' version='1.4.1' os='linux' arch='amd64' 
[debug] downloading files into /tmp/tmp.fgZr8JGzEF 
[debug] http_download(url=https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_checksums.txt) 
[debug] http_download(url=https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_linux_amd64.tar.gz) 
[info] installed /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c[46](https://github.com/cosimmetry/sketch/actions/runs/9181218908/job/25247435631#step:6:47)1dc_syft/syft 
/opt/hostedtoolcache/syft/1.4.1/x64/syft scan ghcr.io/cosimmetry/sketch -o spdx-json
Executing Syft...
SBOM scan completed in: 217.16s
------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-gzIbTJ/cosimmetry-sketch.spdx.json
Found 1 artifact(s)
------------------- Attaching SBOMs to release: 'v0.4.6.-rc2' ------------------
Error: Resource not accessible by integration

@tlbraams
Copy link

Since v0.16 the action is making use of @actions/artifact@v2 as requested in #434 https://github.com/actions/toolkit/tree/main/packages/artifact#v2---whats-new
One of the (breaking) changes in v2 is name uniqueness. You might want to use the artifact-name option to ensure name uniqueness if you're creating multiple SBOM's in a single workflow.

I have attempted to add an id: ${{ env.BRANCH_NAME }} to make unique names but the above still occurs.

It shows a warning that it doesn't recognize that attribute, according to the documentation you probably want artifact-name: ${{ env.BRANCH_NAME }} instead (https://github.com/anchore/sbom-action?tab=readme-ov-file#naming-the-sbom-output)

@chris-j-major
Copy link

@tlbraams Thanks for that information - I now beleive the issue I'm seeing is different enough, so I'll open another issues for it.

@kzantow
Copy link
Contributor

kzantow commented May 22, 2024

There is a known and I think correct change in behavior that previous releases would silently overwrite workflow assets with the same name. So, for example, if you run within a matrix job and you'd just randomly get one of the artifacts: whichever finished last. This was never the intended behavior, just an oversight.

Looking at the repo, it looks like you do indeed have a matrix job. The SBOM artifact name, at least for now, needs to be unique for each run, in other words make it based on the matrix somehow. I had to update the tests for this, see: here.

That said, I'm not sure if it's possible offhand, but we might be able to detect when run as part of a matrix build and include some uniqueness as part of the naming so you won't have to do this in the future.

@PipeItToDevNull
Copy link
Author

Awesome, using the matrix strategy resolved this. Thanks for the investigation and guidance.

@kzantow kzantow reopened this May 23, 2024
@kzantow kzantow changed the title Failures starting 2024-05-20 Unable to upload workflow asset with default name when run in matrix May 23, 2024
@popey
Copy link
Contributor

popey commented Jun 29, 2024

Looks like this is covered off by the linked docs update. So I'm gonna close this now. 👍

@popey popey closed this as completed Jun 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants