-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scorecard: error signing scorecard results #1362
Comments
You should be able to see the JSON output from scorecard in the details, does it look like Scorecard ran successfully? |
@spencerschrock Sorry my bad. Yes, it is an enterprise server so I need GH_HOST (without this scorecard was pointing to github.com rather than our org url ). Using payload from: results.json |
I don't think Fulcio supports enterprise servers. sigstore/fulcio#1022 (comment) You can always turn |
@spencerschrock , thanks for your input. When you say I can't publish score, what that actually means ? am I not allowed to upload artifact or upload to code scanning ? |
Sorry for any confusion. You can still upload the results an artifact or to the code scanning dashboard.
|
When I try to upload artifact, I'm getting below error Error: @actions/artifact v2.0.0+, upload-artifact@v4+ and download-artifact@v4+ are not currently supported on GHES. any alternative ? |
Can you try an older version of
For reference there was some discussion here about it |
@spencerschrock , Thanks a lot for your input I could able to upload the artifact successfully using upload-artifact. Next, when I tried to upload it to Code Scanning, I got an error saying Please Note: I couldn't see Code scanning Option under Security tab in GitHub. I created a stackoverflow question for the same (https://stackoverflow.com/questions/78308703/github-code-scanning-section-not-available-under-security-tab-code-security). Is it because, it is disabled from the Organisation's Enterprise owners ? or not available for GHES ? I believe that could be the reason why I'm encountering an error when attempting to upload to code scanning. This is what I tried : |
@spencerschrock , is code scanning is not available for GHES or it need any additional subscription ? |
I'm not 100% certain, as I've only used the GitHub hosted version. GitHub's documentation seems to say it's supported with an additional subscription / $$$.
|
I tried to integrate Open SSF Scorecard to my Organisation private repository but getting signing error
Steps to Replicate the issue:
Now while running the GitHub actions I'm getting following error
error signing scorecard json results: error signing payload: getting key from Fulcio: retrieving cert:
POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Request: "{"code":3, "message":"There was an error processing the identity token", "details":[]}"
ossf/scorecard-action - v2.3.1
The text was updated successfully, but these errors were encountered: