Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alpine image not auto-detected on Action #1262

Closed
mvorisek opened this issue Feb 3, 2024 · 22 comments
Closed

Alpine image not auto-detected on Action #1262

mvorisek opened this issue Feb 3, 2024 · 22 comments
Assignees
Labels
Area: Report Upload Issues with pre-ingest report uploading bug Something isn't working Low Low Priority Issues (to be fixed or re-evaluated in 12 months

Comments

@mvorisek
Copy link

mvorisek commented Feb 3, 2024

CI log:

1s
Run codecov/codecov-action@v4
  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml,coverage/js/clover.xml
  env:
    LOG_COVERAGE: 1
/usr/bin/docker exec  fd8d6bfcab9afaaaefd7cb1c23b43d13cb5c46fd29b243c01cf76d86136bb29f sh -c "cat /etc/*release | grep ^ID"
==> linux OS detected
https://cli.codecov.io/latest/linux/codecov.SHA256SUM
==> Running version latest
gpg: directory '/github/home/.gnupg' created
gpg: /github/home/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Fri Feb  2 14:15:33 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869

==> Running version v0.4.6
==> Running command '/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit'
/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit -C 864df81d007f7cd8a0fea2e9495d14fd4563f03e -Z
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcat_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __snprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vfprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __realpath_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strdup: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __memcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vsnprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fread_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fprintf_chk: symbol not found

v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek yeah I noticed this. I'm not sure why there's a difference between running gpgv versus gpg -v for this which would NOT show this warning, but there is this issue. I have confirmed with our security team that the security key is in fact correct and the warning is not showing something malicious.

I will continue to look into this so that the warning is properly removed.

@mvorisek
Copy link
Author

Here https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L135 is a repro if it helps. Also notice, we use custom Alpine container image https://github.com/atk4/core/blob/63a2d72bbf/.github/workflows/test-unit.yml#L14.

Based on the likes it seems many people are affected.

The solution should be probably https://superuser.com/questions/1435147/how-to-suppress-warning-this-key-is-not-certified-with-a-trusted-signature#1435150, ie. gpg --lsign-key "xxx" as mentioned also in https://serverfault.com/questions/569911/how-to-verify-an-imported-gpg-key#1150984

@mvorisek
Copy link
Author

mvorisek commented Mar 4, 2024

@thomasrockhu-codecov is there any progress on this issue?

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek I've been digging into this for a bit now. I don't think that adding gpg --lsign-key is what should be done.

The warning message implies that the key has not been signed by the user

it likely means we haven't signed the public key of the signature-maker.

This means that you, the user, have not indicated you trust the key. As a result, unless you actually import the key and sign it yourself, we will not be able to do anything about the warning.

As it is, the warning is just that, a warning, as the key is hard coded into the codebase.

@mvorisek
Copy link
Author

mvorisek commented Mar 7, 2024

@thomasrockhu-codecov please kindly reopen this issue, we use fail_ci_if_error: true and it currently fails our CI - so it is not a warning, it is an error which prevents us to upgrade to v4 (introduced in #1218).

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek oh! sorry I didn't realize that would happen. Let me dig in a little more then.

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after create-commit. Doing a quick search shows this could be related to glibc (see this issue).

@mvorisek
Copy link
Author

mvorisek commented Mar 8, 2024

@mvorisek I don't think this is related to trusted signature as the system gets past verification. What is curious are the log lines after create-commit. Doing a quick search shows this could be related to glibc (see this issue).

👍

here is a minimal repro using GH Actions:

on:
  push:

jobs:
  ci:
    container:
      image: alpine
    steps:
      - name: Store coverage
        run: |
          # store coverage/merged.xml file here

      - name: Upload coverage logs
        uses: codecov/codecov-action@v4
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          fail_ci_if_error: true
          files: coverage/merged.xml       

with local Docker and alpine base image should should be simple to reproduce the issue.

Does Codecov bundle some lib linked againts glibc? I use Alpine quite a lot and I would be surprised if native Alpine git lib would be this broken.

@drazisil-codecov
Copy link
Contributor

Alpine doesn't use glibc, it uses musl, which is not the same. Could be that.

@mvorisek
Copy link
Author

mvorisek commented Mar 8, 2024

Yes. My concern is what package causes that issue, dist/codecov? Is that some precompiled codecov binary?

@drazisil-codecov
Copy link
Contributor

drazisil-codecov commented Mar 8, 2024

action@v4 uses https://github.com/codecov/codecov-cli.

Specifically,

const getBaseUrl = (platform: string, version: string): string => {
return `https://cli.codecov.io/${version}/${platform}/${getUploaderName(platform)}`;
};

I think we use pyinstaller.

@psychobolt
Copy link

psychobolt commented Apr 4, 2024

Works now on c16abc2

- use: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # 4.1.1
  # ...

@hellwolf
Copy link

hellwolf commented Apr 8, 2024

ours fails after upgrading to 4.2.0 https://github.com/superfluid-finance/protocol-monorepo/actions/runs/8606474561/job/23586919598

(we were upgrading it to fix the previous failure.)

Frustratingly, we can't find a config now that works.

@mvorisek
Copy link
Author

mvorisek commented Apr 8, 2024

We had to stick to v3 which uses deprecated Node 18.

Someone from Codecov should look into it as it affects a lot of users based on the votes count and the fact Alpine is very popular. The repro should be easy, use this plugin on Github workflow using alpine:latest image.

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek I have made an underlying change to the action and in setting fail_ci_if_error to true should not break. Would you mind trying the latest v4 and seeing if this works for you.

@thomasrockhu-codecov thomasrockhu-codecov added support bug Something isn't working labels May 14, 2024
@thomasrockhu-codecov thomasrockhu-codecov self-assigned this May 14, 2024
@mvorisek
Copy link
Author

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek ahhh, this is a different issue. what OS is your runner using? You may need to specify a different OS for the action

  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml
    os: alpine

@mvorisek
Copy link
Author

I am running on Alpine. If there needs to be some different binary uploaded, I belive the detection should be done on runtime by the GH action itself.

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek you are correct, I have that on my list of things to do, but for now I just wanted you unblocked

@thomasrockhu-codecov thomasrockhu-codecov changed the title [v4] This key is not certified with a trusted signature! Alpine image not auto-detected on Action May 16, 2024
@gVg771
Copy link

gVg771 commented Jul 9, 2024

CI log:

1s
Run codecov/codecov-action@v4
  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml,coverage/js/clover.xml
  env:
    LOG_COVERAGE: 1
/usr/bin/docker exec  fd8d6bfcab9afaaaefd7cb1c23b43d13cb5c46fd29b243c01cf76d86136bb29f sh -c "cat /etc/*release | grep ^ID"
==> linux OS detected
https://cli.codecov.io/latest/linux/codecov.SHA256SUM
==> Running version latest
gpg: directory '/github/home/.gnupg' created
gpg: /github/home/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Fri Feb  2 14:15:33 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869

==> Running version v0.4.6
==> Running command '/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit'
/__w/_actions/codecov/codecov-action/v4/dist/codecov create-commit -C 864df81d007f7cd8a0fea2e9495d14fd4563f03e -Z
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcat_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __snprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vfprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __realpath_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strdup: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __memcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __vsnprintf_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __strcpy_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fread_chk: symbol not found
Error relocating /__w/_actions/codecov/codecov-action/v4/dist/codecov: __fprintf_chk: symbol not found

v3 with the same config is passing without any issue, but we want to upgrade as Node 16 is deprecated.

sebhmg added a commit to sebhmg/param-sweeps that referenced this issue Jul 12, 2024
robcxyz added a commit to sudoblockio/icon-governance that referenced this issue Aug 1, 2024
@thomasrockhu-codecov thomasrockhu-codecov added Area: Report Upload Issues with pre-ingest report uploading Low Low Priority Issues (to be fixed or re-evaluated in 12 months and removed support labels Oct 29, 2024
@mvorisek
Copy link
Author

mvorisek commented Nov 21, 2024

You may need to specify a different OS for the action

  with:
    token: ***
    fail_ci_if_error: true
    files: coverage/merged.xml
    os: alpine

Thank you @thomasrockhu-codecov for mentioning the os option. When an explicit os: alpine is used this GH issue is fixed.

I have also found that the v5 release somehow fixed this issue and the os option is not even needed.

@thomasrockhu-codecov
Copy link
Contributor

@mvorisek ah! I'm glad that worked. I hadn't gotten a chance to test it out on your setup so I couldn't confirm. Glad this is working now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Report Upload Issues with pre-ingest report uploading bug Something isn't working Low Low Priority Issues (to be fixed or re-evaluated in 12 months
Projects
None yet
Development

No branches or pull requests

6 participants