You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During attestation init with remote state, the PR metadata collector runs multiple times (observed 13 consecutive collections) before EvaluateAttestationPolicies fails with a state digest conflict.
Each successful collector save updates the server-side state, but the client-side digest tracking falls out of sync, causing the final policy evaluation write to be rejected by the OCC check.
ERR evaluating attestation policies: failed to persist crafting state: failed to save state:
rpc error: code = Aborted desc = saving attestation: failed to save attestation state:
the provided base digest doesn't match the stored state, it might have changed,
got="bb994066...", want="87664418..."
The PR metadata collector runs multiple times instead of once during RunCollectors. This needs investigation — possible duplicate collector registration or retry loop.
During
attestation initwith remote state, the PR metadata collector runs multiple times (observed 13 consecutive collections) beforeEvaluateAttestationPoliciesfails with a state digest conflict.Each successful collector save updates the server-side state, but the client-side digest tracking falls out of sync, causing the final policy evaluation write to be rejected by the OCC check.
Reproduction
Set up a local GitHub Actions environment:
Then run:
Expected: PR metadata collected once, policy evaluation succeeds.
Actual: PR metadata collected 13 times, policy evaluation fails with digest mismatch.
Analysis
Two issues are at play:
The PR metadata collector runs multiple times instead of once during
RunCollectors. This needs investigation — possible duplicate collector registration or retry loop.After collectors finish, the
RunCollectorsworkaround (added in fix: return digest from attestation state save for OCC support #2909) reloads state only ifUpdateCheckSumchanged. With multiple saves, the digest tracking can fall out of sync between client and server, causingEvaluateAttestationPolicies(added in feat(policies): add attestation phase lifecycle control #2765) to fail when it tries to save with a stale digest.Use Chainloop version v1.73.1 server and latest CLI