running buildah-tssc Step: buildah-tssc Results: /workspace/source/source/results/buildah-tssc Custom root CA variable is not set. Make sure CA trust is established ========Running buildah-tssc:login --- Registry Auth Bypass Active --- ========Running buildah-tssc:build [1/2] STEP 1/3: FROM registry.access.redhat.com/ubi9/nodejs-22:latest Trying to pull registry.access.redhat.com/ubi9/nodejs-22:latest... Getting image source signatures Checking if image destination supports signatures Copying blob sha256:17780622bfd6e55c1ae4afa4f82780056e4fcf6b7f994a18eb4f22be22cabb59 Copying blob sha256:d91079001e41f3b5af846e11beb8d30c880ad1842142178f178894e7da4a2502 Copying blob sha256:32783d1461b3ee812011d36c3fce99c5071f644064d3655ca39124ccdb1fb88b Copying config sha256:21e88db6643e9b52dfc7cd05504b3e9bd6272db9b930623e689fbe6840ba6c3b Writing manifest to image destination Storing signatures [1/2] STEP 2/3: COPY package.json package-lock.json* ./ [1/2] STEP 3/3: RUN if [ -f package-lock.json ]; then npm ci; else npm install; fi added 102 packages, and audited 103 packages in 2s 19 packages are looking for funding run `npm fund` for details found 0 vulnerabilities [2/2] STEP 1/6: FROM registry.access.redhat.com/ubi9/nodejs-22-minimal:latest Trying to pull registry.access.redhat.com/ubi9/nodejs-22-minimal:latest... Getting image source signatures Checking if image destination supports signatures Copying blob sha256:c2bd3d9db966052fa16a55058dea6295ef135c0ea089cfb7b612f5e5981aba40 Copying blob sha256:cd8d59cb7a894fbcbefe70d3cdbc433492e715351e24e77b24a441609ab2de47 Copying config sha256:55505b4473b851a51bb01f8a9e380b506ae7f919bc561c6d760f543dafa1d207 Writing manifest to image destination Storing signatures [2/2] STEP 2/6: COPY --from=0 /opt/app-root/src/node_modules /opt/app-root/src/node_modules [2/2] STEP 3/6: COPY . /opt/app-root/src [2/2] STEP 4/6: ENV NODE_ENV production [2/2] STEP 5/6: ENV PORT 3001 [2/2] STEP 6/6: CMD ["npm", "start"] [2/2] COMMIT quay.io/rhtap_qe/e2e-tests-nodejs-kkyenzls:b28afa50bd7f85110a58dd46cba4e4734642c319 Getting image source signatures Copying blob sha256:80837ee43f1ea0f9498b45e2d484bbf5094f292e992df3f4bf5a2df601a639af Copying blob sha256:0255acae6356cf339150cf200f3327f575acbeaaa43a4f85357876b66ebb7fbc Copying blob sha256:732ac8b122888306aeeb1dacf026535a2e98a866315af0eb42cec30f89376492 Copying config sha256:d001320cded791e6890e1efd53531c6d50a7b17670195802b8abfcae012f1168 Writing manifest to image destination --> d001320cded7 Successfully tagged quay.io/rhtap_qe/e2e-tests-nodejs-kkyenzls:b28afa50bd7f85110a58dd46cba4e4734642c319 d001320cded791e6890e1efd53531c6d50a7b17670195802b8abfcae012f1168 Getting image source signatures Copying blob sha256:732ac8b122888306aeeb1dacf026535a2e98a866315af0eb42cec30f89376492 Copying blob sha256:80837ee43f1ea0f9498b45e2d484bbf5094f292e992df3f4bf5a2df601a639af Copying blob sha256:0255acae6356cf339150cf200f3327f575acbeaaa43a4f85357876b66ebb7fbc Copying config sha256:d001320cded791e6890e1efd53531c6d50a7b17670195802b8abfcae012f1168 Writing manifest to image destination sha256:479ee1bfb7cee1d2686582ecb8a06ba6fadc23ca0d7fcced010f00ed230cf81fquay.io/rhtap_qe/e2e-tests-nodejs-kkyenzls:b28afa50bd7f85110a58dd46cba4e4734642c319Getting image source signatures Copying blob sha256:732ac8b122888306aeeb1dacf026535a2e98a866315af0eb42cec30f89376492 Copying blob sha256:80837ee43f1ea0f9498b45e2d484bbf5094f292e992df3f4bf5a2df601a639af Copying blob sha256:0255acae6356cf339150cf200f3327f575acbeaaa43a4f85357876b66ebb7fbc Copying config sha256:d001320cded791e6890e1efd53531c6d50a7b17670195802b8abfcae012f1168 Writing manifest to image destination ========Running buildah-tssc:generate-sboms { "bom-ref": "af63bd4c8601b7f1", "type": "file", "name": "e2e-tests-nodejs-kkyenzls", "version": "b28afa50bd7f85110a58dd46cba4e4734642c319" } { "bom-ref": "01f410d59ff16938", "type": "container", "name": "quay.io/rhtap_qe/e2e-tests-nodejs-kkyenzls:b28afa50bd7f85110a58dd46cba4e4734642c319", "version": "sha256:479ee1bfb7cee1d2686582ecb8a06ba6fadc23ca0d7fcced010f00ed230cf81f" } ========RUNNING PYTHON ========Running buildah-tssc:upload-sbom There is a discussion in sigstore community triggered by https://github.com/sigstore/cosign/issues/3599. It is likely that cosign attach deprecation will be reverted. Please, ignore deprecation warning for now. WARNING: SBOM attachments are deprecated and support will be removed in a Cosign release soon after 2024-02-22 (see https://github.com/sigstore/cosign/issues/2755). Instead, please use SBOM attestations. WARNING: Attaching SBOMs this way does not sign them. To sign them, use 'cosign attest --predicate /workspace/source/source/results/temp/files/sbom-cyclonedx.json --key '. Uploading SBOM file for [quay.io/rhtap_qe/e2e-tests-nodejs-kkyenzls:b28afa50bd7f85110a58dd46cba4e4734642c319] to [quay.io/rhtap_qe/e2e-tests-nodejs-kkyenzls:sha256-479ee1bfb7cee1d2686582ecb8a06ba6fadc23ca0d7fcced010f00ed230cf81f.sbom] with mediaType [application/vnd.cyclonedx+json]. ========