fix: aggregate per-artifact signing failures so signed annotation is not set

[SAY-5]

Changes

Per-artifact CreatePayload, payload marshalling and SignMessage failures in ObjectSigner.Sign() were only logged and continued without contributing to merr. When every per-artifact operation failed this way, merr stayed nil, so MarkSigned set chains.tekton.dev/signed=true even though nothing was signed, permanently suppressing retries. These three paths now append to merr exactly like the storage-failure path a few lines below already does.

No new unit test is included: the change is the same multierror.Append(merr, ...) pattern already used for storage failures in the same loop, and exercising the payload/marshal/sign failure branches in isolation would require stubbing out the real formatter and x509 signer used by TestSigner_Sign.

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs included if any changes are user facing
• Has Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fix Chains marking a TaskRun/PipelineRun as signed when all per-artifact payload creation, marshalling or signing operations failed.

Closes #1663

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: SAY-5 / name: Sai Asish Y (9f744fe)

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign wlynch after the PR has been reviewed.
You can assign the PR to them by writing /assign @wlynch in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[infernus01]

Thanks @SAY-5 for the PR. You'd need to sign CLA please check the link in the CI checks below.

[waveywaves]

Thanks for the fix. The code change makes sense: payload creation, marshal, and signing errors now contribute to merr, so Sign returns an error and avoids marking the object as signed after a partial failure.

Before this is ready to merge, could you please:

1. Sign the CLA; the current EasyCLA check is blocking the PR.
2. Add regression coverage in pkg/chains/signing_test.go for one of these failure paths, verifying that Sign returns an error and the object is not marked signed.

I ran the existing targeted test locally with this branch:

go test ./pkg/chains -run TestSigner_Sign -count=1

and it passes.

[anithapriyanatarajan]

@SAY-5 - Thank you for the PR ❤️ Please complete the EasyCLA signing to progress with CI checks.

[ab-ghosh]

@SAY-5 Thank you for the PR, the change looks correct, follows the existing multierror.Append pattern, and addresses the #1666. Could you please address @waveywaves' suggestion on adding regression tests?

Minor note (non-blocking): Two other continue paths at signing.go:138-140 (format not found) and signing.go:160-163 (no signer configured) have the same class of bug, they log and skip without appending to merr. Not in scope for this PR but worth adding it, wdyt?

[jkhelil]

@SAY-5 Could you check #1666 (comment) and adress the cmments please, I am looking to approve and merge it once adressed