Add retries to VSA fetch (#319)

puerco · web-flow · commit af7518e369e6 · 2025-10-15T13:15:23.000-06:00
This commit adds a simple retry mechanism with backoff to the provenance
attestor to wait for the commit vsa to be generated when verifying a tag.

Signed-off-by: Adolfo Garcia Veytia (puerco) &lt;puerco@carabiner.dev&gt;
diff --git a/internal/cmd/checktag.go b/internal/cmd/checktag.go
@@ -26,6 +26,7 @@ type checkTagOptions struct {
 	actor              string
 	outputSignedBundle string
 	useLocalPolicy     string
+	vsaRetries         uint8
 }
 
 func (cto *checkTagOptions) Validate() error {
@@ -44,6 +45,7 @@ func (cto *checkTagOptions) AddFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&cto.actor, "actor", "", "The username of the actor that pushed the tag.")
 	cmd.PersistentFlags().StringVar(&cto.outputSignedBundle, "output_signed_bundle", "", "The path to write a bundle of signed attestations.")
 	cmd.PersistentFlags().StringVar(&cto.useLocalPolicy, "use_local_policy", "", "UNSAFE: Use the policy at this local path instead of the official one.")
+	cmd.PersistentFlags().Uint8Var(&cto.vsaRetries, "retries", 3, "Number of times to retry fetching the commit's VSA")
 }
 
 func addCheckTag(parentCmd *cobra.Command) {
@@ -69,6 +71,8 @@ func doCheckTag(args *checkTagOptions) error {
 
 	// Create tag provenance.
 	pa := attest.NewProvenanceAttestor(ghconnection, verifier)
+	pa.Options.VsaRetries = args.vsaRetries // Retry fetching the commit's VSA
+
 	prov, err := pa.CreateTagProvenance(ctx, args.commit, ghcontrol.TagToFullRef(args.tagName), args.actor)
 	if err != nil {
 		return fmt.Errorf("creating tag provenance metadata: %w", err)
diff --git a/pkg/attest/provenance.go b/pkg/attest/provenance.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 	"time"
 
+	v1 "github.com/in-toto/attestation/go/predicates/vsa/v1"
 	spb "github.com/in-toto/attestation/go/v1"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
@@ -24,9 +25,14 @@ import (
 	"github.com/slsa-framework/source-tool/pkg/slsa"
 )
 
+type ProvenanceAttestorOptions struct {
+	VsaRetries uint8
+}
+
 type ProvenanceAttestor struct {
 	verifier      Verifier
 	gh_connection *ghcontrol.GitHubConnection
+	Options       ProvenanceAttestorOptions
 }
 
 func NewProvenanceAttestor(gh_connection *ghcontrol.GitHubConnection, verifier Verifier) *ProvenanceAttestor {
@@ -267,10 +273,22 @@ func (pa ProvenanceAttestor) CreateTagProvenance(ctx context.Context, commit, re
 	// Find the most recent VSA for this commit. Any reference is OK.
 	// TODO: in the future get all of them.
 	// TODO: we should actually verify this vsa: https://github.com/slsa-framework/source-tool/issues/148
-	vsaStatement, vsaPred, err := GetVsa(ctx, pa.gh_connection, pa.verifier, commit, ghcontrol.AnyReference)
-	if err != nil {
-		return nil, fmt.Errorf("error fetching VSA when creating tag provenance %w", err)
+	var tries uint8
+	var vsaStatement *spb.Statement
+	var vsaPred *v1.VerificationSummary
+	for {
+		vsaStatement, vsaPred, err = GetVsa(ctx, pa.gh_connection, pa.verifier, commit, ghcontrol.AnyReference)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching VSA when creating tag provenance %w", err)
+		}
+
+		tries++
+		if tries >= pa.Options.VsaRetries || vsaPred != nil {
+			break
+		}
+		time.Sleep(time.Duration(tries*5) * time.Second)
 	}
+
 	if vsaPred == nil {
 		// TODO: If there's not a VSA should we still issue provenance?
 		return nil, nil
