Unable to upload workflow asset with default name when run in matrix

[PipeItToDevNull]

When running this action in a matrix build (and possibly other contexts) without specifying an artifact-name, this action will fail due to an attempt to upload identically named artifacts, which is no longer allowed with the new artifact APIs.

A workaround is to use some element of the matrix as part of the artifact name as can be seen in the tests here.

It would be ideal to somehow detect when being run in a matrix and use the current values as further discriminator of the automatic artifact and asset names. However it's unclear if this information is available. In fact, it seems the job name doesn't even show this information. A sample run with the context debug output only seems to include:

  ##[debug]  "eventName": "pull_request",
  ##[debug]  "sha": "43601d431a78c9adf6ce3312d4881fd4f5d6a043",
  ##[debug]  "ref": "refs/pull/465/merge",
  ##[debug]  "workflow": "build-test",
  ##[debug]  "action": "__self",
  ##[debug]  "actor": "theuser",
  ##[debug]  "job": "test-on-fixture-dirs",
  ##[debug]  "runNumber": 1018,
  ##[debug]  "runId": 9085449801,
  ##[debug]  "apiUrl": "https://api.github.com/",
  ##[debug]  "serverUrl": "https://github.com/",
  ##[debug]  "graphqlUrl": "https://api.github.com/graphql"

Note the job name of test-on-fixture-dirs, which shows in the UI as test-on-fixture-dirs (ubuntu-latest), but there does not appear to be the matrix os value of ubuntu-latest anywhere in the payload. More investigation is needed to determine if this can be obtained via API call or some other environment source. We should also explore other options such as using the dependency submission API as a location to store this information.

When downloading logs, there may be a line similar to this from an earlier step:

Complete job name: test-job (ubuntu-latest)

-------- Original report:

My flow has started to fail with no changes from me. It is complaining about a duplicate name (I build 2 container images from 2 branches)

SBOM scan completed in: 8.888s
------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-GE46vC/***-nginx-certbot.spdx.json
Error: Failed to CreateArtifact: Received non-retryable error: Failed request: (409) Conflict: an artifact with this name already exists on the workflow run
Post job cleanup.

I have attempted to add an id: ${{ env.BRANCH_NAME }} to make unique names but the above still occurs.

https://github.com/PipeItToDevNull/nginx-certbot/actions

[chris-j-major]

I also have a potentially similar problem on a private repo:

Run anchore/[email protected]
------------------------------ Running SBOM Action -----------------------------
/usr/bin/sh /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c461dc -d -b /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c461dc_syft v1.4.1
[debug] checking github for release tag='v1.4.1' 
[debug] http_download(url=https://github.com/anchore/syft/releases/v1.4.1) 
[info] fetching release script for tag='v1.4.1' 
[debug] http_download(url=https://raw.githubusercontent.com/anchore/syft/v1.4.1/install.sh) 
[debug] checking github for release tag='v1.4.1' 
[debug] http_download(url=https://github.com/anchore/syft/releases/v1.4.1) 
[info] using release tag='v1.4.1' version='1.4.1' os='linux' arch='amd64' 
[debug] downloading files into /tmp/tmp.fgZr8JGzEF 
[debug] http_download(url=https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_checksums.txt) 
[debug] http_download(url=https://github.com/anchore/syft/releases/download/v1.4.1/syft_1.4.1_linux_amd64.tar.gz) 
[info] installed /home/runner/work/_temp/86c14a62-acb2-4ebd-9824-486a58c[46](https://github.com/cosimmetry/sketch/actions/runs/9181218908/job/25247435631#step:6:47)1dc_syft/syft 
/opt/hostedtoolcache/syft/1.4.1/x64/syft scan ghcr.io/cosimmetry/sketch -o spdx-json
Executing Syft...
SBOM scan completed in: 217.16s
------------------------- Uploading workflow artifacts -------------------------
/tmp/sbom-action-gzIbTJ/cosimmetry-sketch.spdx.json
Found 1 artifact(s)
------------------- Attaching SBOMs to release: 'v0.4.6.-rc2' ------------------
Error: Resource not accessible by integration

[tlbraams]

Since v0.16 the action is making use of @actions/artifact@v2 as requested in #434 https://github.com/actions/toolkit/tree/main/packages/artifact#v2---whats-new
One of the (breaking) changes in v2 is name uniqueness. You might want to use the artifact-name option to ensure name uniqueness if you're creating multiple SBOM's in a single workflow.

I have attempted to add an id: ${{ env.BRANCH_NAME }} to make unique names but the above still occurs.

It shows a warning that it doesn't recognize that attribute, according to the documentation you probably want artifact-name: ${{ env.BRANCH_NAME }} instead (https://github.com/anchore/sbom-action?tab=readme-ov-file#naming-the-sbom-output)

[chris-j-major]

@tlbraams Thanks for that information - I now beleive the issue I'm seeing is different enough, so I'll open another issues for it.

[kzantow]

There is a known and I think correct change in behavior that previous releases would silently overwrite workflow assets with the same name. So, for example, if you run within a matrix job and you'd just randomly get one of the artifacts: whichever finished last. This was never the intended behavior, just an oversight.

Looking at the repo, it looks like you do indeed have a matrix job. The SBOM artifact name, at least for now, needs to be unique for each run, in other words make it based on the matrix somehow. I had to update the tests for this, see: here.

That said, I'm not sure if it's possible offhand, but we might be able to detect when run as part of a matrix build and include some uniqueness as part of the naming so you won't have to do this in the future.

[PipeItToDevNull]

Awesome, using the matrix strategy resolved this. Thanks for the investigation and guidance.

[popey]

Looks like this is covered off by the linked docs update. So I'm gonna close this now. 👍