Skip to content

Commit e001cf8

Browse files
authored
Merge pull request #31 from shubham-stepsecurity/sm/test
fix: add retry logic for signing artifacts with cosign
2 parents f0d019d + 8417f66 commit e001cf8

1 file changed

Lines changed: 25 additions & 9 deletions

File tree

.github/workflows/release.yml

Lines changed: 25 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -107,16 +107,32 @@ jobs:
107107
echo "win_arm64=$WIN_ARM64" >> "$GITHUB_OUTPUT"
108108
109109
- name: Sign artifacts with Sigstore
110+
shell: bash
110111
run: |
111-
cosign sign-blob "${{ steps.binaries.outputs.darwin }}" \
112-
--bundle dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle --yes
113-
cosign sign-blob "${{ steps.binaries.outputs.win_amd64 }}" \
114-
--bundle dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle --yes
115-
cosign sign-blob "${{ steps.binaries.outputs.win_arm64 }}" \
116-
--bundle dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle --yes
117-
cosign sign-blob stepsecurity-dev-machine-guard.sh \
118-
--bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
119-
112+
sign_with_retry() {
113+
local blob="$1"
114+
local bundle="$2"
115+
116+
for attempt in 1 2 3; do
117+
if cosign sign-blob "$blob" --bundle "$bundle" --yes; then
118+
return 0
119+
fi
120+
echo "::warning::Signing attempt $attempt failed for $(basename "$blob"), retrying in 10s..."
121+
sleep 10
122+
done
123+
124+
echo "::error::Signing failed for $(basename "$blob") after 3 attempts"
125+
return 1
126+
}
127+
128+
sign_with_retry "${{ steps.binaries.outputs.darwin }}" \
129+
"dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle"
130+
sign_with_retry "${{ steps.binaries.outputs.win_amd64 }}" \
131+
"dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle"
132+
sign_with_retry "${{ steps.binaries.outputs.win_arm64 }}" \
133+
"dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle"
134+
sign_with_retry "stepsecurity-dev-machine-guard.sh" \
135+
"dist/stepsecurity-dev-machine-guard.sh.bundle"
120136
- name: Upload cosign bundles
121137
env:
122138
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)