slsa-github-generator: [bug] Alternative ways required to pass large attestation subjects
Describe the bug
For complex projects that include multiple modules or packages, the number of subjects and size of base64-subjects can easily grow larger than the allowed size of command-line argument and environment strings. For example the size of the subject hashes in a project I tried recently is about 200KB which results in the following error when the generator tries to pass it as command-line argument.
Error: An error occurred trying to start process '/usr/bin/bash' with working directory '/home/runner/work/x'. Argument list too long
To get around that, possible solutions require making changes to the GH runner, which is not a good idea probably.
Would it be possible to pass the subjects in a different way and not as an environment string through command-line argument as done here?
Additional context
- The documentation of kernel call execve() in section
Limits on size of arguments and environmentis helpful. - Here is another related question on Stack Vverflow.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 20 (13 by maintainers)
Commits related to this issue
- feat: Support large subjects file in generic generator (#2365) closes https://github.com/slsa-framework/slsa-github-generator/issues/845 --------- Signed-off-by: laurentsimon <laurentsimon@goo... — committed to slsa-framework/slsa-github-generator by laurentsimon a year ago
- feat: Support large subjects file in generic generator (#2365) closes https://github.com/slsa-framework/slsa-github-generator/issues/845 --------- Signed-off-by: laurentsimon <laurentsimon@goo... — committed to laurentsimon/slsa-github-generator by laurentsimon a year ago
- feat: Support large subjects file in generic generator (#2365) closes https://github.com/slsa-framework/slsa-github-generator/issues/845 --------- Signed-off-by: laurentsimon <laurentsimon@google.c... — committed to enteraga6/slsa-github-generator by laurentsimon a year ago
Thanks for the info. I’ll create the e2e tests with 2k subjects then.
I see. We are getting this error currently not because of GitHub complaining about the size of the input, but because the argument is too long on the command line. If that’s the case we could write the input to a temporary file and pass the file to the generator binary without changing the workflow inputs and callers of the workflow would be unchanged.
Though there would be a problem with escaping the input as we can’t use environment variables due to the length. We would need to figure out a way to prevent script injection without using environment variables.