only wait for AWS ECR before signing attestation manifests

crazy-max · crazy-max · commit 0396b4ecfbba · 2025-12-01T13:32:53.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -551,14 +551,23 @@ jobs:
           INPUT_IMAGE-DIGEST: ${{ steps.get-image-digest.outputs.digest }}
         with:
           script: |
-            // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved
-            await new Promise(resolve => setTimeout(resolve, 2000));
-            
             const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
             
             const inpImageNames = core.getMultilineInput('image-names');
             const inpImageDigest = core.getInput('image-digest');
             
+            // ECR registry regexes: https://github.com/docker/login-action/blob/28fdb31ff34708d19615a74d67103ddc2ea9725c/src/aws.ts#L8-L9
+            const ecrRegistryRegex = /^(([0-9]{12})\.(dkr\.ecr|dkr-ecr)\.(.+)\.(on\.aws|amazonaws\.com(.cn)?))(\/([^:]+)(:.+)?)?$/;
+            const ecrPublicRegistryRegex = /public\.ecr\.aws|ecr-public\.aws\.com/;
+            for (const imageName of inpImageNames) {
+              if (ecrRegistryRegex.test(imageName) || ecrPublicRegistryRegex.test(imageName)) {
+                core.info(`Detected ECR image name: ${imageName}, adding delay to mitigate eventual consistency issue`);
+                // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved
+                await new Promise(resolve => setTimeout(resolve, 5000));
+                break;
+              }
+            }
+            
             const sigstore = new Sigstore();
             const signResults = await sigstore.signAttestationManifests({
               imageNames: inpImageNames,
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -445,14 +445,23 @@ jobs:
           INPUT_IMAGE-DIGEST: ${{ steps.build.outputs.digest }}
         with:
           script: |
-            // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved
-            await new Promise(resolve => setTimeout(resolve, 2000));
-            
             const { Sigstore } = require('@docker/actions-toolkit/lib/sigstore/sigstore');
             
             const inpImageNames = core.getMultilineInput('image-names');
             const inpImageDigest = core.getInput('image-digest');
             
+            // ECR registry regexes: https://github.com/docker/login-action/blob/28fdb31ff34708d19615a74d67103ddc2ea9725c/src/aws.ts#L8-L9
+            const ecrRegistryRegex = /^(([0-9]{12})\.(dkr\.ecr|dkr-ecr)\.(.+)\.(on\.aws|amazonaws\.com(.cn)?))(\/([^:]+)(:.+)?)?$/;
+            const ecrPublicRegistryRegex = /public\.ecr\.aws|ecr-public\.aws\.com/;
+            for (const imageName of inpImageNames) {
+              if (ecrRegistryRegex.test(imageName) || ecrPublicRegistryRegex.test(imageName)) {
+                core.info(`Detected ECR image name: ${imageName}, adding delay to mitigate eventual consistency issue`);
+                // FIXME: remove once https://github.com/docker/github-builder-experimental/issues/30 is resolved
+                await new Promise(resolve => setTimeout(resolve, 5000));
+                break;
+              }
+            }
+            
             const sigstore = new Sigstore();
             const signResults = await sigstore.signAttestationManifests({
               imageNames: inpImageNames,
