fix(ci): retry cosign transparency log failures

[bupd]

Summary

• Retry cosign attest and cosign sign when Sigstore/Rekor returns transient transport errors such as stream INTERNAL_ERROR.
• Treat Rekor duplicate transparency-log entries as success so reruns do not fail after an entry was already created.
• Increase the per-cosign timeout from 1 minute to 2 minutes for signing bundle creation.

Root Cause

The image publish step succeeds before the workflow enters Sigstore/Rekor signing. The Dagger module ran each cosign command once, so transient transparency-log errors or duplicate entries from reruns failed the whole job even when the publish side had completed.

Testing

• git diff --check
• dagger call publish-image-and-sign --help

go test ./... under .dagger is not runnable from a plain checkout because the generated internal/dagger package is gitignored and absent until Dagger loads the module.

Closes #964

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 8.61%. Comparing base (60ad0bd) to head (1178f8c).
⚠️ Report is 181 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##             main    #965      +/-   ##
=========================================
- Coverage   10.99%   8.61%   -2.38%     
=========================================
  Files         173     314     +141     
  Lines        8671   15743    +7072     
=========================================
+ Hits          953    1357     +404     
- Misses       7612   14260    +6648     
- Partials      106     126      +20     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bupd]

@codex review

[Copilot]

Pull request overview

Adds resilience to the Cosign attest/sign steps in the Dagger publish pipeline so transient Sigstore/Rekor transport errors are retried and duplicate Rekor entries from reruns are treated as success.

Changes:

• New cosignWithRetry shell wrapper that retries up to 3 times on transient transport errors (INTERNAL_ERROR, stream errors, timeouts, connection reset, temporary failure) with linear backoff, and short-circuits to success on createLogEntryConflict / "equivalent entry already exists".
• Per-cosign --timeout raised from 1m to 2m, and arguments routed through a new shellQuote helper.
• Minor cleanup in PublishImageAndSign (trailing whitespace / stray semicolon in the GenerateSBOM call).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.