fix(build-push-docker-manifest): idempotent manifest + cosign reruns (RANE-4683)#1577
Draft
HashWrangler wants to merge 8 commits into
Draft
fix(build-push-docker-manifest): idempotent manifest + cosign reruns (RANE-4683)#1577HashWrangler wants to merge 8 commits into
HashWrangler wants to merge 8 commits into
Conversation
Contributor
|
👋 HashWrangler, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
2 tasks
HashWrangler
changed the title
…(RANE-4683) - Skip imagetools create when the tag already references the expected platform digests; fail if the tag exists with different digests - Skip cosign sign when verify already succeeds (idempotent rerun) - Retry cosign verify after sign for Sigstore propagation flakes Together these changes make build-publish manifest jobs safe to rerun without digest drift or redundant signing, while still failing loudly on real conflicts.
HashWrangler
force-pushed
the
fix/cosign-verify-retry
branch
from
856ffb7 to
b6b6a44
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the build-push-docker-manifest composite action to make build-publish reruns idempotent and reduce flakiness around Cosign verification/signature propagation.
Changes:
- Adds an idempotency guard for manifest creation by comparing expected vs existing platform digests and skipping
imagetools createwhen they match. - Skips
cosign signwhen an existing valid signature is already present, and adds retry logic tocosign verifyto absorb Sigstore propagation lag. - Adds a changeset to release these hardening updates as a minor version bump.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| actions/build-push-docker-manifest/action.yml | Adds digest comparison to avoid manifest digest drift on reruns; makes cosign signing/verification rerun-safe with skip + retry behavior. |
| .changeset/rane-4683-manifest-cosign-hardening.md | Declares a minor release for the manifest + cosign hardening changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Ensure jq is installed before digest comparison - Validate docker-image-name-digests is non-empty - Only skip cosign sign when OIDC identity constraints verify - Fail fast on unexpected imagetools inspect errors (not just missing tag)
Keep MANIFEST_CREATE_SKIPPED expression on one line and only sleep between cosign verify retries, not after the final failed attempt.
- Fail fast when jq is missing and apt-get/sudo are unavailable
- Shorten step/output ids so summary env expressions stay on one line
under Prettier (avoids split ${{ }} expressions)
…empotency Treat digest lists as sets: sort -u in normalization and existing-manifest inspection, and reuse normalized digests when building imagetools create args.
- Only sleep between manifest digest inspect retries, not after the final fail - Fail fast when an existing tag has no extractable platform digests instead of falling through to imagetools create (digest drift on rerun)
Reject non-sha256 tokens in normalize_digest_csv so bad docker-image-name-digests input fails fast with a clear error instead of deferring to imagetools create.
chainchad
reviewed
Jun 17, 2026
erikburt
reviewed
Jun 17, 2026
Contributor
There was a problem hiding this comment.
I wonder if its better if we don't verify the signature in this action, but rather verify it in the resuable workflow? Thoughts? @chainchad
…ty guard jq is preinstalled on GitHub-hosted ubuntu-24.04 runners; fail fast with a clear error when missing instead of apt-get/sudo install logic.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Single holistic hardening pass for
build-publishmanifest job flakes and non-idempotent reruns (RANE-4683).imagetools createagain → new index digest (digest drift)cosign verifyalready succeedsno signatures foundright after signParent epic: RANE-4695 private release improvements.
Why one PR
All three changes live in
build-push-docker-manifestand address the same operational failure mode: manifest jobs that fail intermittently and only pass on rerun. Splitting would ship partial behavior (e.g. verify retry without idempotent create still drifts digest on rerun).Evidence
v2.990.5-beta.0— cosign verify flake; rerun passedOut of scope (separate PR)
Test plan
build-push-docker-manifestreleasereusable-docker-build-publish@build-push-docker-manifest/v1picks up release