🏥 CI FailureRelease build failed: cosign SBOM attestation to Rekor/Sigstore timed out

[github-actions]

Summary

The Build Agent-Act Image job in release run #22369923231 failed while attesting the SBOM to the Sigstore/Rekor transparency log.

Commit: 5f89cffbe4d5ac99943407e85e763fd149a42049

Root Cause

The cosign attest step succeeded in generating the ephemeral certificate and SBOM, but failed when attempting to POST the attestation entry to rekor.sigstore.dev:

Error: signing ghcr.io/github/gh-aw-firewall/agent-act@sha256:4813c126c4d7395ac75bc4206375e33bef6ca01c1dce4217151c6dc51f079456: 
Post "(rekor.sigstore.dev/redacted) 
POST (rekor.sigstore.dev/redacted) giving up after 4 attempt(s)

This is a transient external service failure — the Sigstore Rekor transparency log was unavailable or rate-limiting at the time of the run. All other build jobs (Squid, Agent, API Proxy) succeeded.

The Docker image itself was built and pushed successfully to GHCR; only the SBOM attestation signature step failed, causing the job — and subsequently the Create Release job — to be skipped.

Impact

• The release was not created (Create Release job was skipped due to upstream failure)
• The agent-act container image was built and pushed, but lacks a Sigstore SBOM attestation
• The other three images (squid, agent, api-proxy) completed successfully including their attestations

Recommended Actions

1. Re-run the failed job: Retry the "Build Agent-Act Image" job when Sigstore/Rekor services are healthy. Check [Sigstore status]((status.sigstore.dev/redacted) first.
2. Consider adding retry logic: The cosign attest step could benefit from a retry wrapper (e.g., a for loop or retry action) to handle transient Rekor outages automatically.
3. Consider making SBOM attestation non-blocking: If SBOM attestation failures should not block releases, the step could use continue-on-error: true with an alert/notification on failure.

Details

• Workflow: Release
• Failed job: Build Agent-Act Image (job ID: 64745847671)
• Failure step: cosign attest --yes --predicate agent-act-sbom.spdx.json --type spdxjson
• External service: rekor.sigstore.dev (Sigstore transparency log)
• Error type: Network/service timeout — 4 POST attempts all failed

Generated by CI Doctor

[github-actions]

Recurrence — Release Run #65 (Attempt 2)

The same failure has occurred again in release run #22371037636.

Commit: 6dfaa786e6348fe18b68b8cc94c94ec16a01c96d

Failure

Both attempt 1 and attempt 2 of this run failed with the identical error in the Build Agent-Act Image cosign attest step:

Error: signing ghcr.io/github/gh-aw-firewall/agent-act@sha256:fd329924d1f18546646d4f1e1743f0daef3bc60cec87dd460a6fe7f04a3810f3:
Post "(rekor.sigstore.dev/redacted) POST (rekor.sigstore.dev/redacted) giving up after 4 attempt(s)

The SBOM was generated successfully (60s scan) and the image was pushed to GHCR, but the Rekor transparency log entry POST timed out. The Create Release job was skipped again as a result.

Pattern

This is now the second release run blocked by this transient rekor.sigstore.dev connectivity issue. The recommended fix from the original issue (retry logic or continue-on-error: true for SBOM attestation) should be prioritized to unblock the release pipeline.

Generated by CI Doctor

[github-actions]

Duplicate failure: same rekor.sigstore.dev timeout

This is another occurrence of the same transient Sigstore/Rekor failure.

• Run: 22371037636
• Commit: 6dfaa786e6348fe18b68b8cc94c94ec16a01c96d
• Error: Post "(rekor.sigstore.dev/redacted) POST (rekor.sigstore.dev/redacted) giving up after 4 attempt(s)

Same root cause as the previous occurrence — rekor.sigstore.dev was unavailable. The image was built and pushed successfully; only the SBOM attestation signing failed. The Create Release job was skipped as a result.

This is now a recurring issue. The recommended fix of adding retry logic or continue-on-error: true to the cosign attest step would prevent future release blocks.

Generated by CI Doctor

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the release build failure caused by cosign SBOM attestation to Rekor/Sigstore timing out and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the cosign SBOM attestation timeout to Rekor/Sigstore during release builds and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the cosign SBOM attestation timeout in the release build and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the release build failure caused by cosign SBOM attestation to Rekor/Sigstore timing out and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the cosign SBOM attestation timeout to Rekor/Sigstore during the release build and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.

The Copilot agent will analyze the issue and create a pull request with the fix — adding retry logic or continue-on-error: true to the cosign SBOM attestation step in the release workflow so that transient Rekor/Sigstore outages don't block the entire release.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster