Skip to content

gh/2.55.0-r0: cve remediation #27611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
octo-sts wants to merge 1 commit into from
Closed

gh/2.55.0-r0: cve remediation #27611

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Sep 5, 2024

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Sep 5, 2024

Open AI suggestions to solve the build error:

The error message is: "fatal: detected dubious ownership in repository at '/github/home' To add an exception for this directory, call: git config --global --add safe.directory /github/home ERRO request failed error=\"Get \\\"./packages/apk-configuration\\\": unsupported protocol scheme \\\"\\\"\" method=GET url=./packages/apk-configuration WARN ignoring missing keys for ./packages: failed to perform key discovery: Get \"./packages/apk-configuration\": GET ./packages/apk-configuration giving up after 1 attempt(s): Get \"./packages/apk-configuration\": unsupported protocol scheme \"\" WARN # github.com/cli/cli/v2/pkg/cmd/attestation/verification WARN pkg/cmd/attestation/verification/mock_verifier.go:30:15: cannot use statement (variable of type *in_toto.Statement) as *\"github.com/in-toto/attestation/go/v1\".Statement value in struct literal WARN exit status 1 WARN build.go: building task `bin/gh` failed. WARN make: *** [Makefile:17: bin/gh] Error 1 ERRO ERROR: failed to build package. the build environment has been preserved: INFO   workspace dir: /temp/melange-workspace-2082141532 INFO   guest dir: /temp/melange-guest-3249041124 ERRO failed to build package: unable to run package gh pipeline: unable to run pipeline: exit status 2 make[1]: *** [Makefile:111: packages/aarch64/gh-2.55.0-r1.apk] Error 1 make[1]: Leaving directory '/github/home' make: *** [Makefile:101: package/gh] Error 2"

To fix this error:
1. Run `git config --global --add safe.directory /github/home`.
2. Ensure the URL for `./packages/apk-configuration` is correct and uses a supported protocol.
3. Correct the type mismatch in `mock_verifier.go`.
4. Verify Makefile targets and dependencies.

@kranurag7
Copy link
Member

kranurag7 commented Sep 9, 2024

upstream patch (ref: cli/cli#9566) bumping sigstore-go and it involves a bit more than bumping the dependency. We'll probably need a patch for this.

@kranurag7
Copy link
Member

kranurag7 commented Sep 9, 2024

closing this one given it's already bumped to a new version via #27953

@kranurag7 kranurag7 closed this Sep 9, 2024
@kranurag7 kranurag7 deleted the cve-gh-6dac92ab9b5dc346ebab20564c8a9357 branch September 9, 2024 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated pr gh/2.55.0-r0 GHSA-cq38-jh5f-37mq go/bump request-cve-remediation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kranurag7