GitHub asset delivery breaks our CI jobs #1351
Description
In my opinion, this GitHub incident is not resolved, as discussed in #1350.
This incident is marked as resolved in November 20th, but I've been seeing errors in our nightlies since yesterday (November 23rd). Also, they mention an error rate less than 0.2%, but it seems larger than that. In our particular case, the SLSA action downloads the cosign binaries three times (one for each architecture, and one for the final layer), and we can see some downloads succeeding, while others are failing. With a 0.2% error rate, our jobs would work 99.6% of the time, which is not the case.
Next steps:
- Ask GitHub to reopen this incident
- Merge our PRs into a test branch, where I'll remove the provenance requirement (see
test/1351-ci) - Ensure that the tests run fine, and post the result in QA and Release for version 0.10.0 RC2 #1341
- Merge the PRs.
In practice, we cannot create attestations for our images until this is resolved, so it must be fixed real soon.