Implement retry logic for image signing in GitHub Actions workflow to handle transient Sigstore issues. Update deployment commands in config.go to remove unnecessary ownership changes while maintaining permissions for asset directories.

rajsinghtech · rajsinghtech · commit bc29a32b6892 · 2025-07-05T01:53:45.000-05:00
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -97,7 +97,23 @@ jobs:
         env:
           DIGEST: ${{ steps.build.outputs.digest }}
         run: |
-          echo "${{ steps.meta.outputs.tags }}" | xargs -I {} -P 4 cosign sign --yes {}@${DIGEST}
+          # Simple retry for transient Sigstore issues
+          for tag in ${{ steps.meta.outputs.tags }}; do
+            echo "Signing: $tag@${DIGEST}"
+            if ! cosign sign --yes "$tag@${DIGEST}"; then
+              echo "First attempt failed, retrying in 10 seconds..."
+              sleep 10
+              if ! cosign sign --yes "$tag@${DIGEST}"; then
+                echo "❌ Failed to sign $tag after retry"
+                echo "::warning::Failed to sign image $tag - continuing with unsigned image"
+                # Continue with other images rather than failing entire workflow
+              else
+                echo "✅ Successfully signed $tag on retry"
+              fi
+            else
+              echo "✅ Successfully signed $tag"
+            fi
+          done
 
   # Separate job for PR validation
   validate:
diff --git a/pkg/homer/config.go b/pkg/homer/config.go
@@ -289,7 +289,7 @@ func CreateDeployment(name string, namespace string, replicas *int32, owner clie
 							Command: []string{
 								"sh",
 								"-c",
-								"cp /config/config.yml /www/assets/config.yml && chown -R 1000:1000 /www/assets && chmod -R 755 /www/assets",
+								"cp /config/config.yml /www/assets/config.yml && chmod -R 755 /www/assets",
 							},
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &[]bool{false}[0],
@@ -592,7 +592,7 @@ func CreateDeploymentWithAssets(name string, namespace string, replicas *int32,
 	}
 
 	// Complete init command with permissions
-	initCommand += " && chown -R 1000:1000 /www/assets && chmod -R 755 /www/assets"
+	initCommand += " && chmod -R 755 /www/assets"
 
 	d := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
