From 4349cb96906fddc058a3fa57a6d4db5653497fc1 Mon Sep 17 00:00:00 2001
From: Ivan <ivan@quad4.io>
Date: Sat, 9 May 2026 19:11:19 -0500
Subject: [PATCH] ci(setup-trivy): add curl retries for transient 502 errors

---
 scripts/ci/setup-trivy.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scripts/ci/setup-trivy.sh b/scripts/ci/setup-trivy.sh
index e697a3b..02445eb 100644
--- a/scripts/ci/setup-trivy.sh
+++ b/scripts/ci/setup-trivy.sh
@@ -31,8 +31,8 @@ verify_upstream_deb() {
     ensure_cosign
     export COSIGN_YES="${COSIGN_YES:-true}"
 
-    curl -fsSL -o /tmp/trivy_checksums.txt "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt"
-    curl -fsSL -o /tmp/trivy_checksums.sigstore.json "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt.sigstore.json"
+    curl -fsSL --retry 5 --retry-delay 2 -o /tmp/trivy_checksums.txt "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt"
+    curl -fsSL --retry 5 --retry-delay 2 -o /tmp/trivy_checksums.sigstore.json "${TRIVY_RELEASE_BASE}/trivy_${TRIVY_VERSION}_checksums.txt.sigstore.json"
     cosign verify-blob /tmp/trivy_checksums.txt --bundle /tmp/trivy_checksums.sigstore.json \
         --certificate-identity-regexp="${TRIVY_CERT_IDENTITY_RE}" \
         --certificate-oidc-issuer-regexp="${TRIVY_CERT_ISSUER_RE}"
@@ -43,10 +43,10 @@ verify_upstream_deb() {
         exit 1
     fi
 
-    curl -fsSL -o /tmp/trivy.deb "${TRIVY_RELEASE_BASE}/${DEB_BASE}"
+    curl -fsSL --retry 5 --retry-delay 2 -o /tmp/trivy.deb "${TRIVY_RELEASE_BASE}/${DEB_BASE}"
     echo "${EXPECTED_SHA}  /tmp/trivy.deb" | sha256sum -c
 
-    curl -fsSL -o /tmp/trivy.deb.sigstore.json "${TRIVY_RELEASE_BASE}/${DEB_BASE}.sigstore.json"
+    curl -fsSL --retry 5 --retry-delay 2 -o /tmp/trivy.deb.sigstore.json "${TRIVY_RELEASE_BASE}/${DEB_BASE}.sigstore.json"
     cosign verify-blob /tmp/trivy.deb --bundle /tmp/trivy.deb.sigstore.json \
         --certificate-identity-regexp="${TRIVY_CERT_IDENTITY_RE}" \
         --certificate-oidc-issuer-regexp="${TRIVY_CERT_ISSUER_RE}"
@@ -59,7 +59,7 @@ if [ -n "${TRIVY_DEB_URL:-}" ]; then
         echo "setup-trivy.sh: TRIVY_DEB_URL requires TRIVY_DEB_SHA256" >&2
         exit 1
     fi
-    curl -fsSL -o /tmp/trivy.deb "${TRIVY_DEB_URL}"
+    curl -fsSL --retry 5 --retry-delay 2 -o /tmp/trivy.deb "${TRIVY_DEB_URL}"
     echo "${TRIVY_DEB_SHA256}  /tmp/trivy.deb" | sha256sum -c
 else
     arch="$(uname -m)"