From 995cedc357f89712bbbb6c25f55d1017852a560a Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 1 Dec 2025 13:21:50 +0100 Subject: [PATCH 1/2] chore: linguist ignore test dir Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .gitattributes | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..78d8a74 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +/test/** export-ignore From 0396b4ecfbba198e56a8ba21b3d8d7d36a4886d8 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Mon, 1 Dec 2025 13:25:47 +0100 Subject: [PATCH 2/2] only wait for AWS ECR before signing attestation manifests Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/bake.yml | 15 ++++++++++++--- .github/workflows/build.yml | 15 ++++++++++++--- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index 483ea06..b9b0b5f 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -551,14 +551,23 @@ jobs: INPUT_IMAGE-DIGEST: ${{ steps.get-image-digest.outputs.digest }} with: script: | - // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved - await new Promise(resolve => setTimeout(resolve, 2000)); - const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore'); const inpImageNames = core.getMultilineInput('image-names'); const inpImageDigest = core.getInput('image-digest'); + // ECR registry regexes: https://github.com/docker/login-action/blob/28fdb31ff34708d19615a74d67103ddc2ea9725c/src/aws.ts#L8-L9 + const ecrRegistryRegex = /^(([0-9]{12})\.(dkr\.ecr|dkr-ecr)\.(.+)\.(on\.aws|amazonaws\.com(.cn)?))(\/([^:]+)(:.+)?)?$/; + const ecrPublicRegistryRegex = /public\.ecr\.aws|ecr-public\.aws\.com/; + for (const imageName of inpImageNames) { + if (ecrRegistryRegex.test(imageName) || ecrPublicRegistryRegex.test(imageName)) { + core.info(`Detected ECR image name: ${imageName}, adding delay to mitigate eventual consistency issue`); + // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved + await new Promise(resolve => setTimeout(resolve, 5000)); + break; + } + } + const sigstore = new Sigstore(); const signResults = await sigstore.signAttestationManifests({ imageNames: inpImageNames, diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ac7ad39..291cc35 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -445,14 +445,23 @@ jobs: INPUT_IMAGE-DIGEST: ${{ steps.build.outputs.digest }} with: script: | - // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved - await new Promise(resolve => setTimeout(resolve, 2000)); - const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore'); const inpImageNames = core.getMultilineInput('image-names'); const inpImageDigest = core.getInput('image-digest'); + // ECR registry regexes: https://github.com/docker/login-action/blob/28fdb31ff34708d19615a74d67103ddc2ea9725c/src/aws.ts#L8-L9 + const ecrRegistryRegex = /^(([0-9]{12})\.(dkr\.ecr|dkr-ecr)\.(.+)\.(on\.aws|amazonaws\.com(.cn)?))(\/([^:]+)(:.+)?)?$/; + const ecrPublicRegistryRegex = /public\.ecr\.aws|ecr-public\.aws\.com/; + for (const imageName of inpImageNames) { + if (ecrRegistryRegex.test(imageName) || ecrPublicRegistryRegex.test(imageName)) { + core.info(`Detected ECR image name: ${imageName}, adding delay to mitigate eventual consistency issue`); + // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved + await new Promise(resolve => setTimeout(resolve, 5000)); + break; + } + } + const sigstore = new Sigstore(); const signResults = await sigstore.signAttestationManifests({ imageNames: inpImageNames,