Analysis on Maven projects failing due to certificate validation error against Maven Central artefacts #18598
Labels
question
Further information is requested
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
At some point in the last week CodeQL jobs across our repositories started failing. Sampling our repositories Action history this starting happening approximately 4-5 days ago e.g.
Note that it's hard to pinpoint an exact point in time where this happened as repositories have varying levels of activity. There is no common factor of change that we can identify across these repositories. Some of the failures were triggered by our developers opening PR, but others were triggered by automated PRs from tools like Dependabot (e.g. the 3rd example job below). For repositories where no builds have been triggered, or no PRs opened in the time window, then we see no failures and the most recent run from 5+ days ago was successful.
The following are some example failing jobs across several repositories, and branches thereof, in our organisation:
Looking in the job logs we see a bunch of errors from CodeQL, but looking through the job logs the root cause looks to be the following:
For some reason the CodeQL job/tools doesn't seem to have the right certificates available to verify the certificate of Maven Central?? Thus it won't download the Maven dependencies and fails the entire job.
A quick check in my browser shows that the certificate on
repo.maven.apache.orgappears valid AFAICT:What's going on here?
The text was updated successfully, but these errors were encountered: