cosign verify-attestation hangs indefinitely in GitHub Actions

[AliSajid]

Description

I have a GitHub Action that builds and signs an image and pushes it to GHCR and DockerHub. I verify the signatures in the same action. The verification for the image happens instantly but on the Verify-Attestataion for the SBOM, it hangs until it times out in six hours. I can verify that the attestation is pushed to the container registries and I can verify that locally on my Mac (M2) painlessly.

I'm using syft for SBOM generation and right now using a practically empty Dockerfile.

Version

cosign: v2.2.3
syft: v1.0.1

These are the logs from an example run.
logs_21813240831.zip

The workflow is here: https://github.com/AliSajid/aaprop/blob/next/.github/workflows/build_container.yaml

[haydentherapper]

This sounds like a one-off GHA failure, is it still occurring?

[AliSajid]

This has been consistently occurring over the past ~3 days. Sometimes it succeeds, but with an inordinately long time. An example of a very long run before success is here.

I have one action run happening right now which is going through the same process.

[ckotzbauer]

I can confirm the same behaviour in one of my actions.

[haydentherapper]

Without logs, I'm unable to reproduce this.

[ckotzbauer]

I create a repro build and share it here.

[ckotzbauer]

I created a simple reproduction repository and the workflow hung on the first execution: https://github.com/ckotzbauer/verify-attestation-repro/actions/runs/9044178111/job/24852568726

Between line 32 and 33/34 it took about 8 minutes.