fix: add retry to curl downloads for transient network failures#210
Merged
bobcallaway merged 1 commit intosigstore:mainfrom Mar 9, 2026
Merged
fix: add retry to curl downloads for transient network failures#210bobcallaway merged 1 commit intosigstore:mainfrom
bobcallaway merged 1 commit intosigstore:mainfrom
Conversation
Member
|
can you rebase this please? i'll also add a couple comments (nits) in a review |
bobcallaway
reviewed
Dec 15, 2025
20e661d to
7299153
Compare
bobcallaway
previously approved these changes
Dec 16, 2025
cpanato
previously requested changes
Dec 16, 2025
Member
cpanato
left a comment
There was a problem hiding this comment.
Thanks looks cool
I would also add the following.
--retry-delay <seconds> - Wait time before each retry attempt
--retry-max-time <seconds> - Maximum time to spend on retries total
Contributor
Author
|
Thanks for the review! I dug into these. Turns out For Happy to add them if you feel strongly, but I think |
1d321f2 to
f06f3a0
Compare
bobcallaway
reviewed
Jan 1, 2026
|
we've been also facing this issue recently, would be great to merge this PR. |
Contributor
|
I've also been running into some build failures due to this issue; it would be great if this PR could be merged. |
Transient network errors during the cosign download can cause the action to fail. This is particularly problematic when the action runs after images have been pushed to a registry, resulting in unsigned images. Add --retry 3 to all curl calls. By default, curl uses exponential backoff: it waits 1 second before the first retry, then doubles the wait time for each subsequent retry up to a maximum of 10 minutes. It also respects Retry-After headers in the response. Closes: sigstore#209 Signed-off-by: Jose Fernandez <me@jrfernandez.com>
Contributor
Author
|
@bobcallaway I applied your suggestions, PTAL. |
bobcallaway
approved these changes
Mar 8, 2026
Member
|
@cpanato can you clear your requested change so this can merge pls? |
Contributor
|
Going to resolve @cpanato's comment so we can unblock this and cut a new release |
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Mar 9, 2026
##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Mar 13, 2026
##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Mar 20, 2026
##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 21, 2026
##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 21, 2026
##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Mar 26, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 26, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 26, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
sdwilsh
pushed a commit
to sdwilsh/ansible-playbooks
that referenced
this pull request
Mar 27, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Apr 3, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Apr 10, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Apr 17, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
renovate Bot
added a commit
to sdwilsh/sOS
that referenced
this pull request
Apr 24, 2026
##### [\`v4.1.1\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.1) #### What's Changed - chore: update default cosign-release to v3.0.5 in [#223](sigstore/cosign-installer#223) **Full Changelog**: <sigstore/cosign-installer@v4.1.0...v4.1.1> --- ##### [\`v4.1.0\`](https://github.com/sigstore/cosign-installer/releases/tag/v4.1.0) #### What's Changed We recommend updating as soon as possible as this includes bug fixes for Cosign. We also recommend removing `with: cosign-release` and strongly discourage using `cosign-release` unless you have a specific reason to use an older version of Cosign. - Bump cosign to 3.0.5 in [#220](sigstore/cosign-installer#220) - fix: add retry to curl downloads for transient network failures in [#210](sigstore/cosign-installer#210) **Full Changelog**: <sigstore/cosign-installer@v4.0.0...v4.1.0>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Transient network errors during the cosign download can cause the action to fail. This is particularly problematic when the action runs after images have been pushed to a registry, resulting in unsigned images.
Add --retry 3 to all curl calls. By default, curl uses exponential backoff: it waits 1 second before the first retry, then doubles the wait time for each subsequent retry up to a maximum of 10 minutes. It also respects Retry-After headers in the response.
Closes: #209
Release Note
Added retry logic to curl downloads to handle transient network failures. Downloads now retry up to 3 times with exponential backoff.