Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

frizbee actions generates wrong/invalid commit ref? #206

Open
woodruffw opened this issue Oct 31, 2024 · 4 comments
Open

frizbee actions generates wrong/invalid commit ref? #206

woodruffw opened this issue Oct 31, 2024 · 4 comments
Assignees
@blkt
Labels
bug Something isn't working

Comments

@woodruffw
Copy link

Describe the issue

Hi there! Thanks for frizbee, it's an awesome tool.

@chenrui333 ran frizbee on zizmor here: woodruffw/zizmor#90 and it produced a strange (seemingly nonexistent) pinned commit ref.

In particular, this:

      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@v3

became this:

      - name: Install the latest version of uv
        uses: astral-sh/setup-uv@c5df01c9e4233fcd789bd004850aa36809d07727 # v3

However, that commit (c5df01c9e4233fcd789bd004850aa36809d07727) doesn't appear to exist at all, either on the upstream or anywhere in the fork network: astral-sh/setup-uv@c5df01c

I think the correct ref here should be 3b9817b1bf26186f03ab8277bab9b827ea5cc254, corresponding to tags v3 and v3.2.0: https://github.com/astral-sh/setup-uv/releases/tag/v3.2.0

To Reproduce

To reproduce, run frizbee actions .github/workflows on https://github.com/woodruffw/zizmor and observe the ref 🙂

frizbee version output:

Version: 0.1.4
Go Version: go1.23.2
Git Commit: 
Commit Date: 
OS/Arch: darwin/arm64
Dirty: false

What version are you using?

v0.1.4
@woodruffw woodruffw added the bug Something isn't working label Oct 31, 2024
@woodruffw woodruffw mentioned this issue Oct 31, 2024
Open
@woodruffw
Copy link
Author

Minimal reproducer:

$ frizbee actions astral-sh/setup-uv@v3
astral-sh/setup-uv@c5df01c9e4233fcd789bd004850aa36809d07727

@woodruffw
Copy link
Author

GitHub's own API endpoints appear to be returning the wrong ref here:

http GET https://api.github.com/repos/astral-sh/setup-uv/git/refs/tags/v3

yields:

{
    "node_id": "REF_kwDOMnghHqxyZWZzL3RhZ3MvdjM",
    "object": {
        "sha": "c5df01c9e4233fcd789bd004850aa36809d07727",
        "type": "tag",
        "url": "https://api.github.com/repos/astral-sh/setup-uv/git/tags/c5df01c9e4233fcd789bd004850aa36809d07727"
    },
    "ref": "refs/tags/v3",
    "url": "https://api.github.com/repos/astral-sh/setup-uv/git/refs/tags/v3"
}

...and object.url points to the real commit ref seemingly:

http GET https://api.github.com/repos/astral-sh/setup-uv/git/tags/c5df01c9e4233fcd789bd004850aa36809d07727

yields:

{
  "node_id": "TA_kwDOMnghHtoAKGM1ZGYwMWM5ZTQyMzNmY2Q3ODliZDAwNDg1MGFhMzY4MDlkMDc3Mjc",
  "sha": "c5df01c9e4233fcd789bd004850aa36809d07727",
  "url": "https://api.github.com/repos/astral-sh/setup-uv/git/tags/c5df01c9e4233fcd789bd004850aa36809d07727",
  "tagger": {
    "name": "eifinger",
    "email": "[email protected]",
    "date": "2024-10-25T12:13:43Z"
  },
  "object": {
    "sha": "3b9817b1bf26186f03ab8277bab9b827ea5cc254",
    "type": "commit",
    "url": "https://api.github.com/repos/astral-sh/setup-uv/git/commits/3b9817b1bf26186f03ab8277bab9b827ea5cc254"
  },
  "tag": "v3",
  "message": "Release v3.2.0\n",
  "verification": {
    "verified": false,
    "reason": "unsigned",
    "signature": null,
    "payload": null
  }
}

@chenrui333
Copy link
Contributor

another idea is probably we just query /tags endpoint

$ gh api /repos/astral-sh/setup-uv/tags | jq -r '.[] | select(.name == "v3") | .commit.sha'
3b9817b1bf26186f03ab8277bab9b827ea5cc254

@blkt
Copy link
Contributor

blkt commented Nov 4, 2024

Hi @woodruffw, thank you for the thorough investigation and the reproducer, this is awesome!
Thank you @chenrui333 as well for the proposed solution!

I'll try to have a better look later this week, possibly early next week.

@blkt blkt self-assigned this Nov 4, 2024
woodruffw added a commit to trailofbits/sigstore-rekor-types that referenced this issue Nov 13, 2024
@woodruffw
fix commits
844c47f 
Hacks around stacklok/frizbee#206.

Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw mentioned this issue Nov 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@blkt blkt

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blkt @chenrui333 @woodruffw