Propagate changes from main into development

.github/workflows/docker-build.yml

@@ -731,20 +731,42 @@ jobs:
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
 
       # Sign GHCR image with keyless signing (Sigstore/Fulcio)
+      # Retry up to 3 times to handle transient Fulcio/Rekor INTERNAL_ERROR (HTTP/2 stream errors)
       - name: Sign GHCR Image
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
         run: |
           echo "Signing GHCR image with keyless signing..."
-          cosign sign --yes ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
-          echo "✅ GHCR image signed successfully"
+          for attempt in 1 2 3; do
+            if cosign sign --yes ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}; then
+              echo "✅ GHCR image signed successfully"
+              break
+            fi
+            if [ "$attempt" -eq 3 ]; then
+              echo "❌ GHCR signing failed after 3 attempts"
+              exit 1
+            fi
+            echo "⚠️  Attempt $attempt failed — retrying in 15s..."
+            sleep 15
+          done
 
       # Sign Docker Hub image with keyless signing (Sigstore/Fulcio)
+      # Retry up to 3 times to handle transient Fulcio/Rekor INTERNAL_ERROR (HTTP/2 stream errors)
       - name: Sign Docker Hub Image
         if: env.TRIGGER_EVENT != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true' && env.HAS_DOCKERHUB_TOKEN == 'true'
         run: |
           echo "Signing Docker Hub image with keyless signing..."
-          cosign sign --yes ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
-          echo "✅ Docker Hub image signed successfully"
+          for attempt in 1 2 3; do
+            if cosign sign --yes ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}; then
+              echo "✅ Docker Hub image signed successfully"
+              break
+            fi
+            if [ "$attempt" -eq 3 ]; then
+              echo "❌ Docker Hub signing failed after 3 attempts"
+              exit 1
+            fi
+            echo "⚠️  Attempt $attempt failed — retrying in 15s..."
+            sleep 15
+          done
 
       # Attach SBOM to Docker Hub image
       - name: Attach SBOM to Docker Hub

.github/workflows/nightly-build.yml

@@ -154,6 +154,17 @@ jobs:
       digest: ${{ steps.resolve_digest.outputs.digest }}
 
     steps:
+      - name: Free disk space
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: false
+          swap-storage: true
+          tool-cache: false
+
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
@@ -341,19 +352,41 @@ jobs:
         uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6  # v4.1.2
 
       # Sign GHCR image with keyless signing (Sigstore/Fulcio)
+      # Retry up to 3 times to handle transient Fulcio/Rekor INTERNAL_ERROR (HTTP/2 stream errors)
       - name: Sign GHCR Image
         run: |
           echo "Signing GHCR nightly image with keyless signing..."
-          cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
-          echo "✅ GHCR nightly image signed successfully"
+          for attempt in 1 2 3; do
+            if cosign sign --yes "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"; then
+              echo "✅ GHCR nightly image signed successfully"
+              break
+            fi
+            if [ "$attempt" -eq 3 ]; then
+              echo "❌ GHCR signing failed after 3 attempts"
+              exit 1
+            fi
+            echo "⚠️  Attempt $attempt failed — retrying in 15s..."
+            sleep 15
+          done
 
       # Sign Docker Hub image with keyless signing (Sigstore/Fulcio)
+      # Retry up to 3 times to handle transient Fulcio/Rekor INTERNAL_ERROR (HTTP/2 stream errors)
       - name: Sign Docker Hub Image
         if: env.HAS_DOCKERHUB_TOKEN == 'true'
         run: |
           echo "Signing Docker Hub nightly image with keyless signing..."
-          cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"
-          echo "✅ Docker Hub nightly image signed successfully"
+          for attempt in 1 2 3; do
+            if cosign sign --yes "${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.resolve_digest.outputs.digest }}"; then
+              echo "✅ Docker Hub nightly image signed successfully"
+              break
+            fi
+            if [ "$attempt" -eq 3 ]; then
+              echo "❌ Docker Hub signing failed after 3 attempts"
+              exit 1
+            fi
+            echo "⚠️  Attempt $attempt failed — retrying in 15s..."
+            sleep 15
+          done
 
       # Attach SBOM to Docker Hub image
       - name: Attach SBOM to Docker Hub
@@ -375,6 +408,17 @@ jobs:
       packages: write
 
     steps:
+      - name: Free disk space
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
+        with:
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: false
+          swap-storage: true
+          tool-cache: false
+
       - name: Checkout nightly branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with: