diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 54b073a..971814b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,10 +67,40 @@ jobs: IMAGE_DIGEST: ${{ needs.build-docker-image.outputs.image_digest }} CERT_OIDC_ISSUER: https://token.actions.githubusercontent.com CERT_IDENTITY: ${{ format('https://github.com/{0}', github.workflow_ref) }} + SIGNER_WORKFLOW_REF: ${{ github.workflow_ref }} run: | IMAGE_REF="${IMAGE_NAME}@${IMAGE_DIGEST}" - cosign sign "${IMAGE_REF}" - cosign verify \ - --certificate-identity "${CERT_IDENTITY}" \ - --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ - "${IMAGE_REF}" + # Docker Hub can lag before a newly pushed signature is queryable. + for i in 1 2 3; do + cosign sign -a signer_workflow_ref="${SIGNER_WORKFLOW_REF}" "${IMAGE_REF}" && break + if [ "$i" -eq 3 ]; then + exit 1 + fi + sleep $((i * 5)) + done + - name: Debug cosign data + if: failure() + env: + IMAGE_NAME: docker.io/digintlab/opencti-connector + IMAGE_DIGEST: ${{ needs.build-docker-image.outputs.image_digest }} + run: | + IMAGE_REF="${IMAGE_NAME}@${IMAGE_DIGEST}" + echo "Debug image ref: ${IMAGE_REF}" + echo "Cosign tree:" + cosign tree "${IMAGE_REF}" || true + echo "Cosign verify (unfiltered):" + cosign verify "${IMAGE_REF}" || true + for i in 1 2 3 4 5; do + if cosign verify \ + -a signer_workflow_ref="${SIGNER_WORKFLOW_REF}" \ + --certificate-identity "${CERT_IDENTITY}" \ + --certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \ + "${IMAGE_REF}"; then + exit 0 + fi + if [ "$i" -eq 5 ]; then + echo "Verification failed after retries" + exit 1 + fi + sleep $((i * 5)) + done