build: add cosign 409 diagnostic message#2277
Draft
ideaship wants to merge 1 commit into
Draft
Conversation
When cosign sign exits non-zero with a createLogEntryConflict HTTP 409 response, the raw error message from Rekor gives no indication of why the retry will also fail or what to do next. This can happen when Rekor accepts the signing bundle but the subsequent OCI .sig push fails transiently; any retry of the full cosign sign command then sees a duplicate Rekor entry and exits rc=1 permanently. Wrap the cosign call so that on failure the output is checked for the createLogEntryConflict string. When found, a NOTE is printed that points to the upstream cosign bug and explains that the next build will succeed because it produces a fresh image digest. The build still fails with the original non-zero exit code; no behaviour change for any other cosign error. Upstream: sigstore/cosign#4711 AI-assisted: Claude Code Signed-off-by: Roger Luethi <luethi@osism.tech>
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- This shell snippet now depends on Bash-specific features like PIPESTATUS and
[[ ]]; if the Ansible task runs with/bin/shor a non-Bash shell, consider explicitly settingexecutable: /bin/bashor rewriting to POSIX shell to avoid runtime errors. - The use of a hardcoded
cosign-output.txtfile may leave artifacts and could clash in reused workspaces; consider using a temporary file (e.g., viamktemp) and cleaning it up after use or capturing the output in a variable instead.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- This shell snippet now depends on Bash-specific features like PIPESTATUS and `[[ ]]`; if the Ansible task runs with `/bin/sh` or a non-Bash shell, consider explicitly setting `executable: /bin/bash` or rewriting to POSIX shell to avoid runtime errors.
- The use of a hardcoded `cosign-output.txt` file may leave artifacts and could clash in reused workspaces; consider using a temporary file (e.g., via `mktemp`) and cleaning it up after use or capturing the output in a variable instead.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When
cosign signfails with HTTP 409createLogEntryConflict, the raw Rekor error gives no indication of the cause or when it will self-resolve. This adds a diagnostic NOTE after the error that points to the upstream bug and explains that the next build will succeed..sigpush then fails transiently, and any retry of the fullcosign signcommand hits a duplicate Rekor entry permanentlyTest plan
createLogEntryConflict→ no change in output or exit code)🤖 Generated with Claude Code