Skip to content

sbom-upload: re-exchange GCS token before set-release-status#1654

Merged
ccwienk merged 1 commit into
masterfrom
fix/sbom-upload-token-refresh-before-status-write
Jul 1, 2026
Merged

sbom-upload: re-exchange GCS token before set-release-status#1654
ccwienk merged 1 commit into
masterfrom
fix/sbom-upload-token-refresh-before-status-write

Conversation

@ccwienk

@ccwienk ccwienk commented Jul 1, 2026

Copy link
Copy Markdown
Member

Problem

The GCS bearer token obtained at job start expires mid-run on long-running
jobs. The Set release status step uses ${{ inputs.gcs-token }} — the
token evaluated at job startup — and has no awareness of the mid-run refresh
that upload.py performs internally via System Trust. On jobs that run longer
than the token TTL (~25 min), the status write fails with HTTP 401
"Invalid Credentials".

Observed on kubernetes-dev/landscape-dev-garden whose sbom-upload job
takes ~1h47m (1549 uploads + scan-missing). Staging (~30 min) is unaffected.
Result: SBOMs upload successfully but neither promoted nor released status
is written to the Cumulus GCS bucket for that run-key.

Fix

Add a Refresh GCS token before status write step immediately before
Set release status, reusing the existing oidc-gcp-token-exchange action
with a distinct token-env-prefix (GCS_STATUS_). The Set release status
step then prefers the freshly-issued token and falls back to the initial token
when token-exchange inputs are not provided (static-token callers).

The refresh step is guarded by inputs.token-exchange-api-url != '' so it is
a no-op for callers that do not supply exchange parameters.

Test plan

  • CI (non-release) green on feature branch
  • Build OCM (Image w/ CLI) green on feature branch
  • Verify on next ls-dev deploy-and-release run: set-release-status: HTTP 200

Release note:

sbom-upload: re-exchange GCS token immediately before set-release-status to
prevent HTTP 401 on long-running jobs where the initial token expires mid-run.

Token obtained at job start expires (~25 min TTL) on long-running jobs
(e.g. ls-dev with 1549 uploads takes ~1h47m), causing HTTP 401 on the
status write. Add a refresh step immediately before set-release-status.
@gardener-prow gardener-prow Bot added do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. labels Jul 1, 2026
@gardener-prow

gardener-prow Bot commented Jul 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tuananh17n for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jul 1, 2026
@ccwienk ccwienk removed the do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. label Jul 1, 2026
@ccwienk ccwienk merged commit 5a2e85d into master Jul 1, 2026
22 of 23 checks passed
@ccwienk ccwienk deleted the fix/sbom-upload-token-refresh-before-status-write branch July 1, 2026 07:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant