RTDEV-58178 - Collect GitHub attestation into JFrog Artifactory at the end of the workflow by selalererjfrog · Pull Request #287 · jfrog/setup-jfrog-cli

selalererjfrog · 2025-07-17T13:16:11Z

[ V ] All tests passed. If this feature is not already covered by the tests, I added new tests.
[ V ] I used npm run format for formatting the code before submitting the pull request.

github-actions · 2025-07-17T13:16:21Z

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

selalererjfrog · 2025-07-17T13:17:14Z

I have read the CLA Document and I hereby sign the CLA

dortam888 · 2025-07-20T06:50:32Z

src/evidence-collection.ts

+    }
+
+    if (!accessToken) {
+        throw new Error('No access token available for authentication');


Since Basic Auth is still supported (JF_USER and JF_PASSWORD), I would throw a different error.
Additionally, Won't an error fail the step and pipeline? I don't think we want to do it in case of Basic Auth

Added support to basic auth too

I meant GitHub action supports basic auth (legacy) while evidence doesn't (API will fail) but we need to make it transparent at the actions level

Changed the code to check if authentication is using user-password at the beginning and just issue a log message and skip evidence collection

dortam888 · 2025-07-20T10:53:53Z

lib/evidence-collection.js

+            accessToken = yield OidcUtils.exchangeOidcToken(credentials);
+        }
+        if (!accessToken) {
+            throw new Error('No access token available for authentication');


Since we are supporting Basic Auth with JF_USER and JF_PASSWORD we should give a meaningful error in this case.

dortam888 · 2025-07-20T11:00:02Z

lib/evidence-collection.js

+        for (const filePath of filePaths) {
+            try {
+                const fileStats = yield fs_1.promises.stat(filePath);
+                const fileSizeMB = fileStats.size / (1024 * 1024); // Convert bytes to MB


See comment in config API.
If we will use it in Azure for example I don't think we want to convert each time.

I think converting makes sense. It leaves the API readable to humans

dortam888 · 2025-07-20T11:04:15Z

lib/evidence-collection.js

+                    continue;
+                }
+                core.info(`Creating evidence for: ${filePath}`);
+                const output = yield utils_1.Utils.runCliAndGetOutput(['evd', 'create', '--sigstore-bundle', filePath]);


What happens in the case JF_PROJECT is defined? don't we want to use --project here?

I don't see that we pass project in the jf cli:

func NewCreateEvidenceCustom(serverDetails *config.ServerDetails, predicateFilePath, predicateType, markdownFilePath, key, keyId, subjectRepoPath, subjectSha256, sigstoreBundlePath, providerId string) evidence.Command { return &createEvidenceCustom{ createEvidenceBase: createEvidenceBase{ serverDetails: serverDetails, predicateFilePath: predicateFilePath, predicateType: predicateType, providerId: providerId, markdownFilePath: markdownFilePath, key: key, keyId: keyId, }, subjectRepoPath: subjectRepoPath, subjectSha256: subjectSha256, sigstoreBundlePath: sigstoreBundlePath, } }

Am I missing something?

We might need to change it but good for now

dortam888 · 2025-07-20T13:24:35Z

src/evidence-collection.ts

+        // Check if evidence collection is supported by the server
+        const evidenceConfig = await getEvidenceConfiguration();
+        if (!evidenceConfig.external_evidence_collection_supported) {
+            core.info('Evidence collection is not supported by this Artifactory server. Skipping evidence collection.');


I believe more specific message is needed as to why we are not supporting it (License, Basic_Auth etc)

It is only the license that don't allow it. Changed the log message

dortam888 · 2025-07-21T16:53:51Z

src/evidence-collection.ts

+        // Check if evidence collection is supported by the server
+        const evidenceConfig = await getEvidenceConfiguration();
+        if (!evidenceConfig.external_evidence_collection_supported) {
+            core.info("Evidence collection is not supported by Artifactory's license type. Skipping evidence collection.");


I prefer "Evidence collection is supported only with Enterprise Plus license. Skipping evidence collection".
It avoids future questions and also similar to other messages of this type across platform.

…e end of the workflow

github-actions · 2025-08-06T13:18:10Z

🐸 JFrog Frogbot

selalererjfrog had a problem deploying to frogbot July 17, 2025 13:16 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from d57b3f5 to e297e7f Compare July 17, 2025 14:20

selalererjfrog had a problem deploying to frogbot July 17, 2025 14:20 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from e297e7f to a9a4c65 Compare July 17, 2025 14:22

selalererjfrog had a problem deploying to frogbot July 17, 2025 14:22 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from a9a4c65 to f7579b0 Compare July 17, 2025 14:26

selalererjfrog had a problem deploying to frogbot July 17, 2025 14:26 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from f7579b0 to 7554b72 Compare July 18, 2025 21:19

selalererjfrog had a problem deploying to frogbot July 18, 2025 21:19 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 7554b72 to 649c963 Compare July 18, 2025 21:20

selalererjfrog had a problem deploying to frogbot July 18, 2025 21:20 — with GitHub Actions Failure

dortam888 reviewed Jul 20, 2025

View reviewed changes

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 649c963 to d3e62c7 Compare July 20, 2025 13:54

selalererjfrog had a problem deploying to frogbot July 20, 2025 13:54 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from d3e62c7 to a941c11 Compare July 20, 2025 14:02

selalererjfrog had a problem deploying to frogbot July 20, 2025 14:02 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from a941c11 to 1eb762b Compare July 20, 2025 14:03

selalererjfrog had a problem deploying to frogbot July 20, 2025 14:03 — with GitHub Actions Failure

selalererjfrog requested a review from dortam888 July 20, 2025 14:04

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 1eb762b to 30b8fff Compare July 20, 2025 15:54

selalererjfrog had a problem deploying to frogbot July 20, 2025 15:54 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 30b8fff to 2a440a0 Compare July 20, 2025 15:57

selalererjfrog had a problem deploying to frogbot July 20, 2025 15:57 — with GitHub Actions Failure

dortam888 reviewed Jul 21, 2025

View reviewed changes

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 2a440a0 to 32b7228 Compare July 28, 2025 11:09

selalererjfrog had a problem deploying to frogbot July 28, 2025 11:09 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 32b7228 to e191da4 Compare July 28, 2025 12:03

selalererjfrog had a problem deploying to frogbot July 28, 2025 12:03 — with GitHub Actions Failure

selalererjfrog force-pushed the feature/RTDEV-58178 branch from e191da4 to 2eb28a7 Compare July 29, 2025 11:24

selalererjfrog had a problem deploying to frogbot July 29, 2025 11:24 — with GitHub Actions Failure

mnsboev approved these changes Jul 30, 2025

View reviewed changes

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 2eb28a7 to 76fee48 Compare July 30, 2025 06:45

selalererjfrog had a problem deploying to frogbot July 30, 2025 06:45 — with GitHub Actions Failure

nirvanin approved these changes Aug 3, 2025

View reviewed changes

RTDEV-58178 - Collect GitHub attestation into JFrog Artifactory at th…

c182aab

…e end of the workflow

selalererjfrog force-pushed the feature/RTDEV-58178 branch from 76fee48 to c182aab Compare August 4, 2025 12:18

selalererjfrog temporarily deployed to frogbot August 4, 2025 12:18 — with GitHub Actions Inactive

asafgabai approved these changes Aug 6, 2025

View reviewed changes

asafgabai added improvement Automatically generated release notes safe to test Approve running integration tests on a pull request labels Aug 6, 2025

github-actions bot removed the safe to test Approve running integration tests on a pull request label Aug 6, 2025

asafgabai merged commit 92008cd into jfrog:master Aug 6, 2025
41 of 45 checks passed

Conversation

selalererjfrog commented Jul 17, 2025

Uh oh!

github-actions bot commented Jul 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

selalererjfrog commented Jul 17, 2025

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Aug 6, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

github-actions bot commented Jul 17, 2025 •

edited

Loading