@@ -107,16 +107,32 @@ jobs:
107107 echo "win_arm64=$WIN_ARM64" >> "$GITHUB_OUTPUT"
108108
109109name : Sign artifacts with Sigstore
110+ shell : bash
110111 run : |
111- cosign sign-blob "${{ steps.binaries.outputs.darwin }}" \
112- --bundle dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle --yes
113- cosign sign-blob "${{ steps.binaries.outputs.win_amd64 }}" \
114- --bundle dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle --yes
115- cosign sign-blob "${{ steps.binaries.outputs.win_arm64 }}" \
116- --bundle dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle --yes
117- cosign sign-blob stepsecurity-dev-machine-guard.sh \
118- --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
119-
112+ sign_with_retry() {
113+ local blob="$1"
114+ local bundle="$2"
115+
116+ for attempt in 1 2 3; do
117+ if cosign sign-blob "$blob" --bundle "$bundle" --yes; then
118+ return 0
119+ fi
120+ echo "::warning::Signing attempt $attempt failed for $(basename "$blob"), retrying in 10s..."
121+ sleep 10
122+ done
123+
124+ echo "::error::Signing failed for $(basename "$blob") after 3 attempts"
125+ return 1
126+ }
127+
128+ sign_with_retry "${{ steps.binaries.outputs.darwin }}" \
129+ "dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle"
130+ sign_with_retry "${{ steps.binaries.outputs.win_amd64 }}" \
131+ "dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle"
132+ sign_with_retry "${{ steps.binaries.outputs.win_arm64 }}" \
133+ "dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle"
134+ sign_with_retry "stepsecurity-dev-machine-guard.sh" \
135+ "dist/stepsecurity-dev-machine-guard.sh.bundle"
120136name : Upload cosign bundles
121137 env :
122138 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments