fix: race condition for signed versioned artifacts

pkg/controlplane/handlers_githubwebhooks.go

@@ -146,9 +146,9 @@ func (s *Server) HandleGitHubWebHook() http.HandlerFunc {
 		log.Printf("publishing of type: %s", m.Metadata["type"])
 
 		if err := s.parseGithubEventForProcessing(rawWBPayload, m); err != nil {
-			// We won't leak whether a repository is not found.
-			if errors.Is(err, ErrRepoNotFound) {
-				log.Printf("repository not found: %v", err)
+			// We won't leak when a repository or artifact is not found.
+			if errors.Is(err, ErrRepoNotFound) || errors.Is(err, ErrArtifactNotFound) {
+				log.Printf("repository or artifact not found: %v", err)
 				w.WriteHeader(http.StatusOK)
 				return
 			}
@@ -380,11 +380,6 @@ func (s *Server) parseArtifactPublishedEvent(
 		return fmt.Errorf("error gathering versioned artifact: %w", err)
 	}
 
-	if versionedArtifact == nil {
-		// no error, but the version was just the signature
-		return nil
-	}
-
 	dbArtifact, _, err := upsertVersionedArtifact(ctx, dbrepo.ID, versionedArtifact, s.store)
 	if err != nil {
 		return fmt.Errorf("error upserting artifact from payload: %w", err)
@@ -593,12 +588,10 @@ func gatherVersionedArtifact(
 			return nil, fmt.Errorf("error looking up version by signature tag: %w", lookupErr)
 		}
 		if storedVersion == nil {
-			// not much we can do about the version not being there, let's hope the signed container arrives later
-			// but don't return nil, there's no point in retrying either
-			return nil, nil
+			// return an error that would be caught by the webhook HTTP handler and not retried
+			return nil, ErrArtifactNotFound
 		}
 		// let's continue with the stored version
-
 		// now get information for signature and workflow
 		err = storeSignatureAndWorkflowInVersion(
 			ctx, cli, artifact.Owner, artifact.Name, transformTag(tagIsSigErr.signatureTag), storedVersion)