From d0e4aea8532c992b35ee2a21ba9e5b292495b798 Mon Sep 17 00:00:00 2001 From: Carlo Cabrera <30379873+carlocab@users.noreply.github.com> Date: Thu, 3 Oct 2024 17:01:18 +0800 Subject: [PATCH 1/3] attestion: make `InvalidAttestationError` non-fatal in CI I don't think I've seen an `InvalidAttestationError` that wasn't some sort of network problem (e.g., rate limit, connection timeout, 503). Let's emit a warning instead of erroring out. Note that `MissingAttestationError` is still fatal, and that will still produce errors in CI. --- Library/Homebrew/attestation.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index 853643465f..3e19d100bc 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -246,6 +246,12 @@ module Homebrew end backfill_attestation + rescue InvalidAttestationError => e + raise if ENV["HOMEBREW_GITHUB_ACTIONS"].blank? + + opoo "Attestation verification failed (please verify that this is not a network error before rebottling): #{e}" + + {} end end end From 6b63660817b8f66d890692b1cfb24aa86e099f16 Mon Sep 17 00:00:00 2001 From: Carlo Cabrera <30379873+carlocab@users.noreply.github.com> Date: Fri, 4 Oct 2024 12:39:58 +0800 Subject: [PATCH 2/3] attestation: retry on `InvalidAttestationError` instead --- Library/Homebrew/attestation.rb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index 3e19d100bc..d456651b13 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -179,6 +179,8 @@ module Homebrew attestation end + ATTESTATION_MAX_RETRIES = 5 + # Verifies the given bottle against a cryptographic attestation of build provenance # from homebrew-core's CI, falling back on a "backfill" attestation for older bottles. # @@ -246,12 +248,15 @@ module Homebrew end backfill_attestation - rescue InvalidAttestationError => e - raise if ENV["HOMEBREW_GITHUB_ACTIONS"].blank? + rescue InvalidAttestationError + @attestation_retry_count ||= T.let(Hash.new(0), T.nilable(T::Hash[Bottle, Integer])) + raise if @attestation_retry_count[bottle] >= ATTESTATION_MAX_RETRIES - opoo "Attestation verification failed (please verify that this is not a network error before rebottling): #{e}" - - {} + sleep_time = 3 ** @attestation_retry_count[bottle] + opoo "Failed to verify attestation. Retrying in #{sleep_time}..." + sleep sleep_time + @attestation_retry_count[bottle] += 1 + retry end end end From 7b74bf07fdd41c5f7e8fb257b6bd9717b48a9ce5 Mon Sep 17 00:00:00 2001 From: Carlo Cabrera <30379873+carlocab@users.noreply.github.com> Date: Fri, 4 Oct 2024 16:00:29 +0800 Subject: [PATCH 3/3] Fix attestation test failures --- Library/Homebrew/attestation.rb | 2 +- Library/Homebrew/test/attestation_spec.rb | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Library/Homebrew/attestation.rb b/Library/Homebrew/attestation.rb index d456651b13..4e2510ab77 100644 --- a/Library/Homebrew/attestation.rb +++ b/Library/Homebrew/attestation.rb @@ -254,7 +254,7 @@ module Homebrew sleep_time = 3 ** @attestation_retry_count[bottle] opoo "Failed to verify attestation. Retrying in #{sleep_time}..." - sleep sleep_time + sleep sleep_time if ENV["HOMEBREW_TESTS"].blank? @attestation_retry_count[bottle] += 1 retry end diff --git a/Library/Homebrew/test/attestation_spec.rb b/Library/Homebrew/test/attestation_spec.rb index 7a7f32662a..48d8557717 100644 --- a/Library/Homebrew/test/attestation_spec.rb +++ b/Library/Homebrew/test/attestation_spec.rb @@ -259,7 +259,7 @@ RSpec.describe Homebrew::Attestation do described_class::HOMEBREW_CORE_REPO, "--format", "json"], env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds], print_stderr: false, chdir: HOMEBREW_TEMP) - .once + .exactly(described_class::ATTESTATION_MAX_RETRIES + 1) .and_raise(described_class::MissingAttestationError) expect(described_class).to receive(:system_command!) @@ -267,6 +267,7 @@ RSpec.describe Homebrew::Attestation do described_class::BACKFILL_REPO, "--format", "json"], env: { "GH_TOKEN" => fake_gh_creds, "GH_HOST" => "github.com" }, secrets: [fake_gh_creds], print_stderr: false, chdir: HOMEBREW_TEMP) + .exactly(described_class::ATTESTATION_MAX_RETRIES + 1) .and_return(fake_result_json_resp_too_new) expect do