ci: Stop spamming server with intermediate builds.#781
ci: Stop spamming server with intermediate builds.#781
Conversation
Signed-off-by: Giles Cope <gilescope@gmail.com>
gilescope
changed the title
|
KICS version: v2.1.16
|
m2ux
left a comment
m2ux
left a comment
There was a problem hiding this comment.
PR Review Summary
PR: #781 - ci: Stop spamming server with intermediate builds
Reviewer: Workflow-based review
Date: 2026-02-25
Executive Summary
The PR adds a tlog-upload parameter to control Sigstore transparency log (Rekor) interaction for SBOM attestation, setting false for CI/main builds and true for release. The parameter threading is well-structured and the secondary changes (shellcheck fixes, dead code removal) are correct. However, the primary fix does not work: cosign v3.0.2's bundle signing path contacts Rekor regardless of --tlog-upload=false, causing both SBOM CI jobs to fail.
Overall Rating: Request Changes
Code Review Findings
| # | Severity | Category | Finding | Location |
|---|---|---|---|---|
| CR-01 | Critical | Correctness | --tlog-upload=false does not prevent Rekor contact in cosign v3.0.2 |
All files — entire premise |
| CR-02 | Medium | Robustness | Boolean type coercion across workflow_call boundary |
sbom-scan-image.yml |
| CR-03 | Medium | Observability | Verification output suppressed when --insecure-ignore-tlog active |
sbom-scan.sh |
| CR-04 | Low | Quality | Shellcheck quoting fixes are correct | release-image.yml 👍 |
| CR-05 | Low | Hygiene | Dead code removal is safe | main.yml 👍 |
| CR-06 | Low | Design | Parameter threading follows existing skip-attestation pattern |
All 5 files 👍 |
| CR-07 | Low | Practice | Explicit tlog-upload: true in release workflows |
release-image.yml 👍 |
CR-01 Details (Critical)
Evidence: CI run 22385969899 logs show:
TLOG_UPLOAD: false
Attesting SBOM for ... (tlog-upload=false)
Error: signing ...: signing bundle: error signing bundle:
Post "https://rekor.sigstore.dev/api/v1/log/entries": giving up after 2 attempt(s)
The flag is correctly threaded through the workflow and shell script, but cosign v3.0.2 ignores it during bundle creation — the bundle signing path always POSTs to Rekor. This is likely a cosign v3 behavioral change or bug.
Suggestion: Replace tlog-upload: false with skip-attestation: true for non-release builds. The existing skip-attestation input bypasses cosign attest entirely, is already proven for fork PRs, and SBOM generation + Grype scanning still run. Alternatively, file an issue with sigstore/cosign about the --tlog-upload=false behavior in bundle signing.
Test Review Findings
| Gap | Severity | Recommendation |
|---|---|---|
No local validation of --tlog-upload=false with cosign v3.0.2 |
Critical | Test locally before submitting: cosign attest --tlog-upload=false ... 2>&1 | grep rekor |
No release workflow validation for tlog-upload: true path |
Medium | Trigger a test release build or verify in a fork |
No shellcheck CI step for sbom-scan.sh |
Low | Consider adding shellcheck or actionlint coverage |
The critical test gap: the new cosign flag combination was deployed across 5 files without first confirming it works with the installed cosign version (v3.0.2 via cosign-installer@v4.0.0).
Validation Results
| Check | Status | Notes |
|---|---|---|
| cargo audit | ✅ Pass | |
| Formatting and Linting | ✅ Pass | |
| Run tests | ✅ Pass | |
| Build node and images | ✅ Pass | |
| Lint workflows | ✅ Pass | |
| Check Unused Dependencies | ✅ Pass | |
| All E2E suites | ✅ Pass | |
| SBOM/Scan Node | ❌ Fail | Attest SBOM — Rekor POST despite tlog-upload=false |
| SBOM/Scan Toolkit | ❌ Fail | Attest SBOM — same root cause |
17 passing, 2 failing, 2 skipped. Both failures are caused by the same cosign v3.0.2 incompatibility.
Action Items
Must Address (Blocking):
- Fix or replace the
--tlog-upload=falseapproach — it does not prevent Rekor contact in cosign v3.0.2. Recommended: useskip-attestation: truefor non-release CI builds instead.
Should Address (Recommended):
- Split the PR: extract shellcheck fixes + dead code removal into a separate PR (can merge immediately)
- Validate the chosen fix locally against cosign v3.0.2 before resubmitting
- Consider filing an issue at
sigstore/cosignabout--tlog-upload=falsenot working in the bundle signing path
Nice to Have (Optional):
- Add acceptance criteria to the PR description (e.g., "SBOM scan CI jobs pass without contacting rekor.sigstore.dev")
- Normalize boolean input handling in the shell script (
tr '[:upper:]' '[:lower:]') - Log verification command when tlog is disabled for debugging
3 participants
We don't need every build to be sent to servers. We could be the reason the servers are so overloaded and we have to keep retrying. Let's stop being part of the problem and only upload release SBOMs.
Here's an example of an SBOM build that failed because it couldn't upload: https://github.com/midnightntwrk/midnight-node/actions/runs/22359669599/job/64794715588?pr=765 - but we didn't need that to upload so why do it?
Also fixes some shellcheck errors.