From 37c4a7b690edb12d1bcbd6f58ef9c0675fd61d2d Mon Sep 17 00:00:00 2001 From: Owen Date: Sat, 24 Jan 2026 11:55:32 -0800 Subject: [PATCH] Retry verify --- .github/workflows/cicd.yml | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index b3e1c0a3..715b74c7 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -482,14 +482,32 @@ jobs: echo "==> cosign sign (key) --recursive ${REF}" cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${REF}" + # Retry wrapper for verification to handle registry propagation delays + retry_verify() { + local cmd="$1" + local attempts=6 + local delay=5 + local i=1 + until eval "$cmd"; do + if [ $i -ge $attempts ]; then + echo "Verification failed after $attempts attempts" + return 1 + fi + echo "Verification not yet available. Retry $i/$attempts after ${delay}s..." + sleep $delay + i=$((i+1)) + delay=$((delay*2)) + # Cap the delay to avoid very long waits + if [ $delay -gt 60 ]; then delay=60; fi + done + return 0 + } + echo "==> cosign verify (public key) ${REF}" - cosign verify --key env://COSIGN_PUBLIC_KEY "${REF}" -o text + retry_verify "cosign verify --key env://COSIGN_PUBLIC_KEY '${REF}' -o text" echo "==> cosign verify (keyless policy) ${REF}" - cosign verify \ - --certificate-oidc-issuer "${issuer}" \ - --certificate-identity-regexp "${id_regex}" \ - "${REF}" -o text + retry_verify "cosign verify --certificate-oidc-issuer '${issuer}' --certificate-identity-regexp '${id_regex}' '${REF}' -o text" echo "✓ Successfully signed and verified ${BASE_IMAGE}:${IMAGE_TAG}" done