Skip to content

Commit

Permalink
attestations: simplify err
Browse files Browse the repository at this point in the history
Signed-off-by: William Woodruff <william@trailofbits.com>
  • Loading branch information
woodruffw committed Jun 11, 2024
1 parent 27500cf commit e9c72dd
Showing 1 changed file with 4 additions and 11 deletions.
15 changes: 4 additions & 11 deletions attestations.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,8 @@
_TOKEN_RETRIEVAL_FAILED_MESSAGE = """
OpenID Connect token retrieval failed: {identity_error}
This generally indicates a workflow configuration error, such as insufficient
permissions. Make sure that your workflow has `id-token: write` configured
at the job level, e.g.:
```yaml
permissions:
id-token: write
```
Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
This failure occurred after a successful Trusted Publishing Flow,
suggesting a transient error.
""" # noqa: S105; not a password


Expand Down Expand Up @@ -88,7 +80,8 @@ def get_identity_token() -> IdentityToken:
except IdentityError as identity_error:
# NOTE: We only perform attestations in trusted publishing flows, so we
# don't need to re-check for the "PR from fork" error mode, only
# generic token retrieval errors.
# generic token retrieval errors. We also render a simpler error,
# since permissions can't be to blame at this stage.
cause = _TOKEN_RETRIEVAL_FAILED_MESSAGE.format(identity_error=identity_error)
die(cause)

Expand Down

0 comments on commit e9c72dd

Please sign in to comment.