feat(publish-image*): Add cosign retries (#83)

We are seeing infrequent cosign failures. Most of them are caused
by external the Fulcio service being unavailable for short bursts
of time. To make the publish-image and publish-image-index-manifest
actions more resilient against this flakiness, this PR introduces
a generic retry script which will run the specified command N times
with a timeout between individual retries.

By default, the cosign commands are retried 3 times with a timeout
of 30 seconds. These values can be overridden by the the following
action inputs:

- cosign-retries
- cosign-retry-timeout

Author: Techassi

.scripts/actions/retry.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Retries any command passed to this script a maximum number of $CMD_RETRIES and
+# wait $CMD_TIMEOUT between each try. If the command failed $CMD_RETRIES, this
+# script will return with exit code 1.
+for TRY in $(seq 1 "$CMD_RETRIES"); do
+  "$@"
+
+  EXIT_CODE=$?
+  # If command ran successfully, exit the loop
+  if [ $EXIT_CODE -eq 0 ]; then
+    break
+  fi
+
+  echo "Command failed $TRY time(s)"
+
+  # Exit if we reached the number if retries and the command didn't run successfully
+  if [ "$TRY" == "$CMD_RETRIES" ]; then
+    echo "Exiting"
+    exit 1
+  fi
+
+  echo "Waiting for $CMD_TIMEOUT to try again"
+  sleep "$CMD_TIMEOUT"
+done

publish-image-index-manifest/README.md

@@ -15,12 +15,16 @@ This action creates an image index manifest, publishes it, and signs it. It does
 
 ### Inputs
 
-- `image-registry-uri`(eg: `oci.stackable.tech`)
-- `image-registry-username` (required)
-- `image-registry-password` (required)
-- `image-repository` (eg: `stackable/kafka`)
-- `image-index-manifest-tag` (eg: `3.4.1-stackable0.0.0-dev`)
-- `image-architectures` (defaults to `["amd64", "arm64"]`)
+| Input                      | Required (Default)        | Description                                                                         |
+| -------------------------- | ------------------------- | ----------------------------------------------------------------------------------- |
+| `image-registry-uri`       | Yes                       | The image registry URI, eg `oci.stackable.tech`                                     |
+| `image-registry-username`  | Yes                       | The username used to access the image registry                                      |
+| `image-registry-password`  | Yes                       | The password used to access the image registry                                      |
+| `image-repository`         | Yes                       | The path to the image, eg `sdp/kafka`                                               |
+| `image-index-manifest-tag` | Yes                       | Human-readable tag without architecture information, eg `3.4.1-stackable0.0.0-dev`  |
+| `image-architectures`      | No (`["amd64", "arm64"]`) | The list of architectures the to-bo-published image was built for                   |
+| `cosign-retries`           | No (3)                    | The number of times cosign operations should be retried                             |
+| `cosign-retry-timeout`     | No (30s)                  | Duration to wait before a new cosign operation is retried, format: `NUMBER[SUFFIX]` |
 
 ### Outputs
 

publish-image-index-manifest/action.yaml

@@ -28,6 +28,15 @@ inputs:
       ["amd64", "arm64", "riscv"]
     default: |
       ["amd64", "arm64"]
+  cosign-retries:
+    description: The number of times cosign operations should be retried
+    default: "3"
+  cosign-retry-timeout:
+    description: |
+      Duration to wait before a new cosign operation is retried, format: `NUMBER[SUFFIX]`.
+      SUFFIX may be 's' for seconds (the default), 'm' for minutes, 'h' for hours or 'd' for days.
+      See `sleep --help` for the full details.
+    default: "30s"
 outputs:
   image-index-uri:
     description: The Image Index URI.
@@ -97,6 +106,8 @@ runs:
     - name: Sign Image Index Manifest
       shell: bash
       env:
+        CMD_TIMEOUT: ${{ inputs.cosign-retry-timeout }}
+        CMD_RETRIES: ${{ inputs.cosign-retries }}
         IMAGE_REPOSITORY: ${{ inputs.image-repository }}
         REGISTRY_URI: ${{ inputs.image-registry-uri }}
       run: |
@@ -112,4 +123,4 @@ runs:
         # This generates a signature and publishes it to the registry, next to
         # the image. This step uses the keyless signing flow with Github Actions
         # as the identity provider.
-        cosign sign --yes "$IMAGE_REPO_DIGEST"
+        "$GITHUB_ACTION_PATH/../.scripts/actions/retry.sh" cosign sign --yes "$IMAGE_REPO_DIGEST"

publish-image/README.md

@@ -26,12 +26,16 @@ following work:
 
 ### Inputs
 
-- `image-registry-uri` (eg: `oci.stackable.tech`)
-- `image-registry-username` (required)
-- `image-registry-password` (required)
-- `image-repository` (eg: `stackable/kafka`)
-- `image-manifest-tag` (eg: `3.4.1-stackable0.0.0-dev-amd64`)
-- `source-image-uri` (eg: `localhost/kafka:3.4.1-stackable0.0.0-dev-amd64`)
+| Input                     | Required (Default) | Description                                                                           |
+| ------------------------- | ------------------ | ------------------------------------------------------------------------------------- |
+| `image-registry-uri`      | Yes                | The image registry URI, eg `oci.stackable.tech`                                       |
+| `image-registry-username` | Yes                | The username used to access the image registry                                        |
+| `image-registry-password` | Yes                | The password used to access the image registry                                        |
+| `image-repository`        | Yes                | The path to the image, eg `sdp/kafka`                                                 |
+| `image-manifest-tag`      | Yes                | Human-readable tag with architecture information, eg `3.4.1-stackable0.0.0-dev-amd64` |
+| `source-image-uri`        | Yes                | The source image uri, which gets re-tagged by this action, eg `localhost/kafka:...`   |
+| `cosign-retries`          | No (3)             | The number of times cosign operations should be retried                               |
+| `cosign-retry-timeout`    | No (30s)           | Duration to wait before a new cosign operation is retried, format: `NUMBER[SUFFIX]`   |
 
 ### Outputs
 

publish-image/action.yaml

@@ -42,6 +42,15 @@ inputs:
       The source image uri, which gets re-tagged by this action to be pushed to
       the appropriate registry.
     required: true
+  cosign-retries:
+    description: The number of times cosign operations should be retried
+    default: "3"
+  cosign-retry-timeout:
+    description: |
+      Duration to wait before a new cosign operation is retried, format: `NUMBER[SUFFIX]`.
+      SUFFIX may be 's' for seconds (the default), 'm' for minutes, 'h' for hours or 'd' for days.
+      See `sleep --help` for the full details.
+    default: "30s"
 runs:
   using: composite
   steps:
@@ -90,17 +99,22 @@ runs:
 
     - name: Sign the container image (${{ env.IMAGE_REPO_DIGEST }})
       shell: bash
+      env:
+        CMD_TIMEOUT: ${{ inputs.cosign-retry-timeout }}
+        CMD_RETRIES: ${{ inputs.cosign-retries }}
       run: |
         set -euo pipefail
 
         # This generates a signature and publishes it to the registry, next to
         # the image. This step uses the keyless signing flow with Github Actions
         # as the identity provider.
-        cosign sign --yes "${IMAGE_REPO_DIGEST}"
+        "$GITHUB_ACTION_PATH/../.scripts/actions/retry.sh" cosign sign --yes "${IMAGE_REPO_DIGEST}"
 
     - name: Generate SBOM for the container image (${{ env.IMAGE_REPO_DIGEST }})
       shell: bash
       env:
+        CMD_TIMEOUT: ${{ inputs.cosign-retry-timeout }}
+        CMD_RETRIES: ${{ inputs.cosign-retries }}
         IMAGE_MANIFEST_TAG: ${{ inputs.image-manifest-tag }}
         IMAGE_REPOSITORY: ${{ inputs.image-repository }}
         REGISTRY_URI: ${{ inputs.image-registry-uri }}
@@ -141,8 +155,15 @@ runs:
         # Merge SBOM components using https://github.com/stackabletech/mergebom
         curl --fail -L -o mergebom https://repo.stackable.tech/repository/packages/mergebom/stable-$(uname -m)
         curl --fail -L -o mergebom_signature.bundle https://repo.stackable.tech/repository/packages/mergebom/stable-$(arch)_signature.bundle
+
         # Verify signature
-        cosign verify-blob --certificate-identity 'https://github.com/stackabletech/mergebom/.github/workflows/build_binary.yaml@refs/heads/main' --certificate-oidc-issuer https://token.actions.githubusercontent.com --bundle mergebom_signature.bundle mergebom
+        "$GITHUB_ACTION_PATH/../.scripts/actions/retry.sh" cosign verify-blob \
+          --certificate-identity 'https://github.com/stackabletech/mergebom/.github/workflows/build_binary.yaml@refs/heads/main' \
+          --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+          --bundle mergebom_signature.bundle \
+          mergebom
+
+        # Run mergebom
         chmod +x ./mergebom
         ./mergebom sbom_raw.json sbom.json
 
@@ -167,7 +188,8 @@ runs:
           } * .[0]' sbom.json > sbom.merged.json
 
         # Attest the SBOM to the image
-        cosign attest \
-          --yes \
-          --predicate sbom.merged.json \
-          --type cyclonedx "${IMAGE_REPO_DIGEST}"
+        "$GITHUB_ACTION_PATH/../.scripts/actions/retry.sh" cosign attest \
+            --yes \
+            --predicate sbom.merged.json \
+            --type cyclonedx \
+            "${IMAGE_REPO_DIGEST}"