docs(recovery): document transient Sigstore/Rekor 409 on checksum signing#28
Conversation
…ning Add a recovery-procedures entry for the cosign/sigstore step failing with `[POST /api/v1/log/entries][409] createLogEntryConflict`. The tag-signature and tag-vs-version checks pass before this step, so the failure is unrelated to the tag — recreating it would risk burning the name. The remedy is to re-run only the failed job (`gh run rerun <run-id> --repo <repo> --failed`), which creates no new tag and has no published release to clobber. Observed on ~3 of 19 repos during a bulk skill-repo release; every re-run published cleanly. Adds eval #38 asserting the model re-runs rather than re-tags. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a new evaluation scenario and corresponding recovery documentation for handling transient Sigstore/Rekor 409 conflicts during checksum signing. The feedback suggests improving the robustness of the must_not assertion pattern in the evaluation configuration to better catch any tag deletion or force-recreation commands.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Release skill’s recovery documentation and evaluation suite to handle a specific release-workflow failure mode: a transient Sigstore/Rekor transparency-log 409 conflict during checksum signing.
Changes:
- Adds a recovery-procedures entry describing how to respond to Sigstore/Rekor HTTP 409 conflicts during signing (rerun failed job; don’t retag).
- Adds a new eval (id 38) asserting the model identifies the transient nature of the 409 and recommends
gh run rerun --failed.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| skills/github-release/references/recovery-procedures.md | Documents the Sigstore/Rekor 409 symptom/cause and the intended safe recovery action. |
| skills/github-release/evals/evals.json | Adds eval #38 to test the expected guidance for transient Rekor 409 conflicts. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ing claim Address bot review feedback on PR #28: - evals.json #38: replace the narrow `git tag -[sa].*` must_not with a robust pattern catching tag delete/force/remote-delete, and add a must_not for `gh release create` (matching the convention of other evals in this file). - recovery-procedures.md: phrase the "validation gates already passed" claim conditionally — it holds for workflows (like the netresearch skill-repo release) that validate before signing, not universally; advise confirming via the failed-job log. Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
|
| { | ||
| "type": "must_not", | ||
| "pattern": "(?i)(git tag.*(-d|-f|--delete)|git push.*delete)" | ||
| }, |
What
Adds a
recovery-procedures.mdentry for the release workflow failing at the cosign/sigstore step with:Why
The tag-signature check and the tag-vs-version-file check run before this step and have already passed — so a 409 here is not a tag problem, it's a transient Sigstore Rekor transparency-log conflict. The safe remedy is to re-run only the failed job:
No new tag, no published release to clobber. Recreating the tag would needlessly risk burning the name.
Observed on ~3 of 19 repos during a coordinated bulk skill-repo release (2026-06-09); every re-run published cleanly on the second attempt.
Changes
references/recovery-procedures.md: new "Sigstore/Rekor 409 on Checksum Signing" section.evals/evals.json: eval #38 — asserts the model recognises the transient 409 and re-runs the failed job rather than recreating the tag.No
SKILL.mdchange (it is at the 497-word limit; the fix lives in an existing reference).