Merge pull request #1016 from crazy-max/imagetools-inspect-retry

buildx(imagetools): make manifest retries configurable

__tests__/buildx/build.test.ts

@@ -22,6 +22,9 @@ import * as rimraf from 'rimraf';
 
 import {Context} from '../../src/context.js';
 import {Build} from '../../src/buildx/build.js';
+import {Buildx} from '../../src/buildx/buildx.js';
+
+import {GitContextFormat} from '../../src/types/buildx/build.js';
 
 const fixturesDir = path.join(__dirname, '..', '.fixtures');
 const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'buildx-build-'));
@@ -41,6 +44,66 @@ afterEach(() => {
   rimraf.sync(tmpDir);
 });
 
+describe('gitContext', () => {
+  const originalEnv = process.env;
+  beforeEach(() => {
+    vi.resetModules();
+    process.env = {
+      ...originalEnv,
+      DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF: '',
+      BUILDX_SEND_GIT_QUERY_AS_INPUT: ''
+    };
+  });
+  afterEach(() => {
+    process.env = originalEnv;
+  });
+
+  type GitContextTestCase = {
+    ref: string;
+    format: GitContextFormat | undefined;
+    prHeadRef: boolean;
+    sendGitQueryAsInput: boolean;
+    buildxQuerySupport: boolean;
+  };
+
+  // prettier-ignore
+  const gitContextCases: [GitContextTestCase, string][] = [
+    // no format set (defaults to fragment)
+    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/merge'],
+    [{ref: 'refs/tags/v1.0.0', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: undefined, prHeadRef: true, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/head'],
+    // no format set (defaults to query only when client-side query resolution is enabled and supported)
+    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: true, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: undefined, prHeadRef: false, sendGitQueryAsInput: true, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/merge&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: undefined, prHeadRef: true, sendGitQueryAsInput: true, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/head&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: true, buildxQuerySupport: false}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    // query format
+    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/merge&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/tags/v1.0.0', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/tags/v1.0.0&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: 'query', prHeadRef: true, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/head&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
+    // fragment format
+    [{ref: 'refs/heads/master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/merge'],
+    [{ref: 'refs/tags/v1.0.0', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
+    [{ref: 'refs/pull/15/merge', format: 'fragment', prHeadRef: true, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/head'],
+  ];
+
+  test.each(gitContextCases)('given %o should return %o', async (input: GitContextTestCase, expected: string) => {
+    const {ref, format, prHeadRef, sendGitQueryAsInput, buildxQuerySupport} = input;
+    process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF = prHeadRef ? 'true' : '';
+    process.env.BUILDX_SEND_GIT_QUERY_AS_INPUT = sendGitQueryAsInput ? 'true' : '';
+    const buildx = new Buildx();
+    vi.spyOn(buildx, 'versionSatisfies').mockResolvedValue(buildxQuerySupport);
+    const build = new Build({buildx});
+    expect(await build.gitContext(ref, '860c1904a1ce19322e91ac35af1ab07466440c37', format)).toEqual(expected);
+  });
+});
+
 describe('resolveImageID', () => {
   it('matches', async () => {
     const imageID = 'sha256:bfb45ab72e46908183546477a08f8867fc40cebadd00af54b071b097aed127a9';

__tests__/buildx/imagetools.test.itg.ts

@@ -30,12 +30,12 @@ const maybe = !process.env.GITHUB_ACTIONS || (process.env.GITHUB_ACTIONS === 'tr
 
 maybe('inspectImage', () => {
   it('inspect single platform', async () => {
-    const image = await new ImageTools().inspectImage('moby/buildkit:latest@sha256:5769c54b98840147b74128f38fb0b0a049e24b11a75bd81664131edd2854593f');
+    const image = await new ImageTools().inspectImage({name: 'moby/buildkit:latest@sha256:5769c54b98840147b74128f38fb0b0a049e24b11a75bd81664131edd2854593f'});
     const expectedImage = <Image>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-01.json'), {encoding: 'utf-8'}).trim());
     expect(image).toEqual(expectedImage);
   });
   it('inspect multi platform', async () => {
-    const image = await new ImageTools().inspectImage('moby/buildkit:latest@sha256:86c0ad9d1137c186e9d455912167df20e530bdf7f7c19de802e892bb8ca16552');
+    const image = await new ImageTools().inspectImage({name: 'moby/buildkit:latest@sha256:86c0ad9d1137c186e9d455912167df20e530bdf7f7c19de802e892bb8ca16552'});
     const expectedImage = <Record<string, Image>>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-02.json'), {encoding: 'utf-8'}).trim());
     expect(image).toEqual(expectedImage);
   });
@@ -43,12 +43,12 @@ maybe('inspectImage', () => {
 
 maybe('inspectManifest', () => {
   it('inspect descriptor', async () => {
-    const manifest = await new ImageTools().inspectManifest('moby/buildkit:latest@sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc');
+    const manifest = await new ImageTools().inspectManifest({name: 'moby/buildkit:latest@sha256:dccc69dd895968c4f21aa9e43e715f25f0cedfce4b17f1014c88c307928e22fc'});
     const expectedManifest = <Descriptor>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-03.json'), {encoding: 'utf-8'}).trim());
     expect(manifest).toEqual(expectedManifest);
   });
   it('inspect index', async () => {
-    const manifest = await new ImageTools().inspectManifest('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6');
+    const manifest = await new ImageTools().inspectManifest({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6'});
     const expectedManifest = <ImageToolsManifest>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-04.json'), {encoding: 'utf-8'}).trim());
     expect(manifest).toEqual(expectedManifest);
   });
@@ -56,17 +56,17 @@ maybe('inspectManifest', () => {
 
 maybe('attestationDescriptors', () => {
   it('returns buildkit attestations descriptors', async () => {
-    const attestations = await new ImageTools().attestationDescriptors('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6');
+    const attestations = await new ImageTools().attestationDescriptors({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6'});
     const expectedAttestations = <Array<Descriptor>>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-05.json'), {encoding: 'utf-8'}).trim());
     expect(attestations).toEqual(expectedAttestations);
   });
   it('returns buildkit attestations descriptors for linux/amd64', async () => {
-    const attestations = await new ImageTools().attestationDescriptors('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', {os: 'linux', architecture: 'amd64'});
+    const attestations = await new ImageTools().attestationDescriptors({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', platform: {os: 'linux', architecture: 'amd64'}});
     const expectedAttestations = <Array<Descriptor>>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-06.json'), {encoding: 'utf-8'}).trim());
     expect(attestations).toEqual(expectedAttestations);
   });
   it('returns buildkit attestations descriptors for linux/arm/v7', async () => {
-    const attestations = await new ImageTools().attestationDescriptors('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', {os: 'linux', architecture: 'arm', variant: 'v7'});
+    const attestations = await new ImageTools().attestationDescriptors({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', platform: {os: 'linux', architecture: 'arm', variant: 'v7'}});
     const expectedAttestations = <Array<Descriptor>>JSON.parse(fs.readFileSync(path.join(fixturesDir, 'imagetools-07.json'), {encoding: 'utf-8'}).trim());
     expect(attestations).toEqual(expectedAttestations);
   });
@@ -74,7 +74,7 @@ maybe('attestationDescriptors', () => {
 
 maybe('attestationDigests', () => {
   it('returns buildkit attestations digests', async () => {
-    const digests = await new ImageTools().attestationDigests('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6');
+    const digests = await new ImageTools().attestationDigests({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6'});
     // prettier-ignore
     expect(digests).toEqual([
       'sha256:2ba4ad6eae1efcafee73a971953093c7c32b6938f2f9fd4998c8bf4d0fbe76f2',
@@ -86,11 +86,22 @@ maybe('attestationDigests', () => {
     ]);
   });
   it('returns buildkit attestations digests for linux/amd64', async () => {
-    const digests = await new ImageTools().attestationDigests('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', {os: 'linux', architecture: 'amd64'});
+    const digests = await new ImageTools().attestationDigests({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', platform: {os: 'linux', architecture: 'amd64'}});
     expect(digests).toEqual(['sha256:2ba4ad6eae1efcafee73a971953093c7c32b6938f2f9fd4998c8bf4d0fbe76f2']);
   });
   it('returns buildkit attestations digests for linux/arm/v7', async () => {
-    const digests = await new ImageTools().attestationDigests('moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', {os: 'linux', architecture: 'arm', variant: 'v7'});
+    const digests = await new ImageTools().attestationDigests({name: 'moby/buildkit:latest@sha256:79cc6476ab1a3371c9afd8b44e7c55610057c43e18d9b39b68e2b0c2475cc1b6', platform: {os: 'linux', architecture: 'arm', variant: 'v7'}});
     expect(digests).toEqual(['sha256:0709528fae1747ce17638ad2978ee7936b38a294136eaadaf692e415f64b1e03']);
   });
 });
+
+maybe('create', () => {
+  it('skips create command execution when skipExec is set', async () => {
+    const result = await new ImageTools().create({
+      sources: ['sha256:0709528fae1747ce17638ad2978ee7936b38a294136eaadaf692e415f64b1e03'],
+      tags: ['docker.io/user/app', 'docker.io/user/app2'],
+      skipExec: true
+    });
+    expect(result).toBeUndefined();
+  });
+});

__tests__/buildx/imagetools.test.ts

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-import {afterEach, describe, expect, it, vi} from 'vitest';
+import {afterEach, beforeEach, describe, expect, it, vi} from 'vitest';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
@@ -38,10 +38,133 @@ vi.spyOn(Context, 'tmpName').mockImplementation((): string => {
 });
 
 afterEach(() => {
+  vi.useRealTimers();
   vi.clearAllMocks();
   rimraf.sync(tmpDir);
 });
 
+beforeEach(() => {
+  vi.useRealTimers();
+  fs.mkdirSync(tmpDir, {recursive: true});
+});
+
+describe('inspectManifest', () => {
+  it('retries transient manifest unknown errors when requested', async () => {
+    vi.useFakeTimers();
+
+    const getCommand = vi.fn().mockResolvedValue({
+      command: 'docker',
+      args: ['buildx', 'imagetools', 'inspect']
+    });
+    const buildx = {getCommand} as unknown as Buildx;
+    const execSpy = vi
+      .spyOn(Exec, 'getExecOutput')
+      .mockResolvedValueOnce({
+        exitCode: 1,
+        stdout: '',
+        stderr: 'ERROR: MANIFEST_UNKNOWN: manifest unknown'
+      })
+      .mockResolvedValueOnce({
+        exitCode: 0,
+        stdout: JSON.stringify({
+          schemaVersion: 2,
+          mediaType: 'application/vnd.oci.image.index.v1+json',
+          manifests: []
+        }),
+        stderr: ''
+      });
+
+    const inspectPromise = new ImageTools({buildx}).inspectManifest({
+      name: 'docker.io/library/alpine:latest',
+      retryOnManifestUnknown: true,
+      retryLimit: 2
+    });
+
+    await vi.runAllTimersAsync();
+
+    expect(await inspectPromise).toEqual({
+      schemaVersion: 2,
+      mediaType: 'application/vnd.oci.image.index.v1+json',
+      manifests: []
+    });
+    expect(getCommand).toHaveBeenCalledWith(['imagetools', 'inspect', 'docker.io/library/alpine:latest', '--format', '{{json .Manifest}}']);
+    expect(execSpy).toHaveBeenCalledTimes(2);
+  });
+
+  it('does not retry non-manifest errors', async () => {
+    const getCommand = vi.fn().mockResolvedValue({
+      command: 'docker',
+      args: ['buildx', 'imagetools', 'inspect']
+    });
+    const buildx = {getCommand} as unknown as Buildx;
+    const execSpy = vi.spyOn(Exec, 'getExecOutput').mockResolvedValue({
+      exitCode: 1,
+      stdout: '',
+      stderr: 'ERROR: unauthorized'
+    });
+
+    const result = await new ImageTools({buildx})
+      .inspectManifest({
+        name: 'docker.io/library/alpine:latest',
+        retryOnManifestUnknown: true
+      })
+      .then(
+        value => ({value, error: undefined}),
+        error => ({value: undefined, error: error as Error})
+      );
+
+    expect(result.value).toBeUndefined();
+    expect(result.error).toBeInstanceOf(Error);
+    expect(result.error?.message).toContain('ERROR: unauthorized');
+
+    expect(execSpy).toHaveBeenCalledTimes(1);
+  });
+});
+
+describe('inspectImage', () => {
+  it('retries transient manifest unknown errors when requested', async () => {
+    vi.useFakeTimers();
+
+    const getCommand = vi.fn().mockResolvedValue({
+      command: 'docker',
+      args: ['buildx', 'imagetools', 'inspect']
+    });
+    const buildx = {getCommand} as unknown as Buildx;
+    const execSpy = vi
+      .spyOn(Exec, 'getExecOutput')
+      .mockResolvedValueOnce({
+        exitCode: 1,
+        stdout: '',
+        stderr: 'ERROR: MANIFEST_UNKNOWN: manifest unknown'
+      })
+      .mockResolvedValueOnce({
+        exitCode: 0,
+        stdout: JSON.stringify({
+          config: {
+            digest: 'sha256:test'
+          }
+        }),
+        stderr: ''
+      });
+
+    const inspectPromise = new ImageTools({buildx}).inspectImage({
+      name: 'docker.io/library/alpine:latest',
+      retryOnManifestUnknown: true,
+      retryLimit: 2
+    });
+
+    await vi.runAllTimersAsync();
+
+    expect(await inspectPromise).toEqual({
+      config: {
+        digest: 'sha256:test'
+      }
+    });
+    expect(getCommand).toHaveBeenCalledWith(['imagetools', 'inspect', 'docker.io/library/alpine:latest', '--format', '{{json .Image}}']);
+    expect(execSpy).toHaveBeenCalledTimes(2);
+  });
+});
+
 describe('create', () => {
   it('parses metadata and supports cwd sources', async () => {
     const getCommand = vi.fn().mockResolvedValue({
@@ -70,7 +193,8 @@ describe('create', () => {
 
     const result = await new ImageTools({buildx}).create({
       sources: ['cwd://descriptor.json', 'docker.io/library/alpine:latest'],
-      tags: ['docker.io/user/app:latest']
+      tags: ['docker.io/user/app:latest'],
+      silent: true
     });
 
     expect(getCommand).toHaveBeenCalledWith(['imagetools', 'create', '--tag', 'docker.io/user/app:latest', '--metadata-file', metadataFile, '--file', 'descriptor.json', 'docker.io/library/alpine:latest']);
@@ -104,7 +228,8 @@ describe('create', () => {
 
     const result = await new ImageTools({buildx}).create({
       sources: ['docker.io/library/alpine:latest'],
-      dryRun: true
+      dryRun: true,
+      silent: true
     });
 
     expect(getCommand).toHaveBeenCalledWith(['imagetools', 'create', '--dry-run', 'docker.io/library/alpine:latest']);
@@ -114,4 +239,63 @@ describe('create', () => {
     });
     expect(result).toBeUndefined();
   });
+
+  it('passes annotations to imagetools create', async () => {
+    const getCommand = vi.fn().mockResolvedValue({
+      command: 'docker',
+      args: ['buildx', 'imagetools', 'create']
+    });
+    const buildx = {getCommand} as unknown as Buildx;
+
+    const execSpy = vi.spyOn(Exec, 'getExecOutput').mockResolvedValue({
+      exitCode: 0,
+      stdout: '',
+      stderr: ''
+    });
+
+    const result = await new ImageTools({buildx}).create({
+      sources: ['docker.io/library/alpine:latest'],
+      annotations: ['index:org.opencontainers.image.title=Alpine', 'manifest-descriptor:org.opencontainers.image.description=Base image'],
+      silent: true
+    });
+
+    expect(getCommand).toHaveBeenCalledWith([
+      'imagetools',
+      'create',
+      '--annotation',
+      'index:org.opencontainers.image.title=Alpine',
+      '--annotation',
+      'manifest-descriptor:org.opencontainers.image.description=Base image',
+      '--metadata-file',
+      metadataFile,
+      'docker.io/library/alpine:latest'
+    ]);
+    expect(execSpy).toHaveBeenCalledWith('docker', ['buildx', 'imagetools', 'create'], {
+      ignoreReturnCode: true,
+      silent: true
+    });
+    expect(result).toBeUndefined();
+  });
+
+  it('skips command execution when skipExec is enabled', async () => {
+    const getCommand = vi.fn().mockResolvedValue({
+      command: 'docker',
+      args: ['buildx', 'imagetools', 'create']
+    });
+    const buildx = {getCommand} as unknown as Buildx;
+    const execSpy = vi.spyOn(Exec, 'getExecOutput').mockResolvedValue({
+      exitCode: 0,
+      stdout: '',
+      stderr: ''
+    });
+
+    const result = await new ImageTools({buildx}).create({
+      sources: ['docker.io/library/alpine:latest'],
+      skipExec: true
+    });
+
+    expect(getCommand).toHaveBeenCalledWith(['imagetools', 'create', '--metadata-file', metadataFile, 'docker.io/library/alpine:latest']);
+    expect(execSpy).not.toHaveBeenCalled();
+    expect(result).toBeUndefined();
+  });
 });

__tests__/context.test.ts

@@ -14,7 +14,7 @@
  * limitations under the License.
  */
 
-import {describe, expect, vi, it, afterEach, beforeEach, test} from 'vitest';
+import {describe, expect, it, afterEach} from 'vitest';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
@@ -23,57 +23,35 @@ import * as rimraf from 'rimraf';
 import {Context} from '../src/context.js';
 
 const tmpDir = fs.mkdtempSync(path.join(process.env.TEMP || os.tmpdir(), 'context-'));
-const tmpName = path.join(tmpDir, '.tmpname-vi');
-
-vi.spyOn(Context, 'tmpDir').mockImplementation((): string => {
-  fs.mkdirSync(tmpDir, {recursive: true});
-  return tmpDir;
-});
-
-vi.spyOn(Context, 'tmpName').mockImplementation((): string => {
-  return tmpName;
-});
 
 afterEach(() => {
   rimraf.sync(tmpDir);
+  fs.mkdirSync(tmpDir, {recursive: true});
 });
 
-describe('gitRef', () => {
+describe('tmpDir', () => {
-  it('returns refs/heads/master', async () => {
+  it('returns an existing directory and keeps it stable', () => {
-    expect(Context.gitRef()).toEqual('refs/heads/master');
+    const dir = Context.tmpDir();
+    expect(fs.existsSync(dir)).toBe(true);
+    expect(fs.statSync(dir).isDirectory()).toBe(true);
+    expect(Context.tmpDir()).toEqual(dir);
   });
 });
 
-describe('parseGitRef', () => {
+describe('tmpName', () => {
-  const originalEnv = process.env;
+  it('returns a path for the provided tmpdir and template', () => {
-  beforeEach(() => {
+    const name = Context.tmpName({
-    vi.resetModules();
+      tmpdir: tmpDir,
-    process.env = {
+      template: '.tmpname-XXXXXX'
-      ...originalEnv,
+    });
-      DOCKER_GIT_CONTEXT_PR_HEAD_REF: ''
+    expect(path.dirname(name)).toEqual(tmpDir);
-    };
+    expect(path.basename(name)).toMatch(/^\.tmpname-/);
+    expect(fs.existsSync(name)).toBe(false);
   });
-  afterEach(() => {
-    process.env = originalEnv;
-  });
-  // prettier-ignore
-  test.each([
-    ['refs/heads/master', '860c1904a1ce19322e91ac35af1ab07466440c37', false, '860c1904a1ce19322e91ac35af1ab07466440c37'],
-    ['master', '860c1904a1ce19322e91ac35af1ab07466440c37', false, '860c1904a1ce19322e91ac35af1ab07466440c37'],
-    ['refs/pull/15/merge', '860c1904a1ce19322e91ac35af1ab07466440c37', false, 'refs/pull/15/merge'],
-    ['refs/heads/master', '', false, 'refs/heads/master'],
-    ['master', '', false, 'master'],
-    ['refs/tags/v1.0.0', '', false, 'refs/tags/v1.0.0'],
-    ['refs/pull/15/merge', '', false, 'refs/pull/15/merge'],
-    ['refs/pull/15/merge', '', true, 'refs/pull/15/head'],
-  ])('given %o and %o, should return %o', async (ref: string, sha: string, prHeadRef: boolean, expected: string) => {
-    process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF = prHeadRef ? 'true' : '';
-    expect(Context.parseGitRef(ref, sha)).toEqual(expected);
-  });
-});
 
-describe('gitContext', () => {
+  it('returns different paths on consecutive calls', () => {
-  it('returns refs/heads/master', async () => {
+    const first = Context.tmpName({tmpdir: tmpDir, template: '.tmpname-XXXXXX'});
-    expect(Context.gitContext()).toEqual('https://github.com/docker/actions-toolkit.git#refs/heads/master');
+    const second = Context.tmpName({tmpdir: tmpDir, template: '.tmpname-XXXXXX'});
+    expect(first).not.toEqual(second);
   });
 });

__tests__/util.test.ts

@@ -315,6 +315,7 @@ describe('hash', () => {
 // https://github.com/golang/go/blob/f6b93a4c358b28b350dd8fe1780c1f78e520c09c/src/strconv/atob_test.go#L36-L58
 describe('parseBool', () => {
   [
+    {input: undefined, expected: false, throwsError: false},
     {input: '', expected: false, throwsError: true},
     {input: 'asdf', expected: false, throwsError: true},
     {input: '0', expected: false, throwsError: false},
@@ -342,6 +343,13 @@ describe('parseBool', () => {
   });
 });
 
+describe('parseBoolOrDefault', () => {
+  it('returns default value when input is invalid', () => {
+    expect(Util.parseBoolOrDefault('asdf')).toBe(false);
+    expect(Util.parseBoolOrDefault('asdf', true)).toBe(true);
+  });
+});
+
 describe('formatFileSize', () => {
   test('should return "0 Bytes" when given 0 bytes', () => {
     expect(Util.formatFileSize(0)).toBe('0 Bytes');

package.json

@@ -42,7 +42,7 @@
     "registry": "https://registry.npmjs.org/"
   },
   "dependencies": {
-    "@actions/artifact": "^6.2.0",
+    "@actions/artifact": "^6.2.1",
     "@actions/cache": "^6.0.0",
     "@actions/core": "^3.0.0",
     "@actions/exec": "^3.0.0",

src/buildx/build.ts

@@ -17,6 +17,7 @@
 import fs from 'fs';
 import path from 'path';
 import * as core from '@actions/core';
+import * as github from '@actions/github';
 import {parse} from 'csv-parse/sync';
 
 import {Buildx} from './buildx.js';
@@ -24,7 +25,7 @@ import {Context} from '../context.js';
 import {GitHub} from '../github/github.js';
 import {Util} from '../util.js';
 
-import {BuildMetadata} from '../types/buildx/build.js';
+import {BuildMetadata, GitContextFormat} from '../types/buildx/build.js';
 import {VertexWarning} from '../types/buildkit/client.js';
 import {ProvenancePredicate} from '../types/intoto/slsa_provenance/v0.2/provenance.js';
 
@@ -48,6 +49,33 @@ export class Build {
     this.metadataFilename = `build-metadata-${Util.generateRandomString()}.json`;
   }
 
+  public async gitContext(ref?: string, sha?: string, format?: GitContextFormat): Promise<string> {
+    const setPullRequestHeadRef = Util.parseBoolOrDefault(process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF);
+    ref = ref || github.context.ref;
+    sha = sha || github.context.sha;
+    if (!ref.startsWith('refs/')) {
+      ref = `refs/heads/${ref}`;
+    } else if (ref.startsWith(`refs/pull/`) && setPullRequestHeadRef) {
+      ref = ref.replace(/\/merge$/g, '/head');
+    }
+    const baseURL = `${GitHub.serverURL}/${github.context.repo.owner}/${github.context.repo.repo}.git`;
+    if (!format) {
+      const sendGitQueryAsInput = Util.parseBoolOrDefault(process.env.BUILDX_SEND_GIT_QUERY_AS_INPUT);
+      if (sendGitQueryAsInput && (await this.buildx.versionSatisfies('>=0.29.0'))) {
+        format = 'query';
+      } else {
+        format = 'fragment';
+      }
+    }
+    if (format === 'query') {
+      return `${baseURL}?ref=${ref}${sha ? `&checksum=${sha}` : ''}`;
+    }
+    if (sha && !ref.startsWith(`refs/pull/`)) {
+      return `${baseURL}#${sha}`;
+    }
+    return `${baseURL}#${ref}`;
+  }
+
   public getImageIDFilePath(): string {
     return path.join(Context.tmpDir(), this.iidFilename);
   }

src/buildx/imagetools.ts

@@ -15,13 +15,15 @@
  */
 
 import fs from 'fs';
+import * as core from '@actions/core';
+
 import {Buildx} from './buildx.js';
 import {Context} from '../context.js';
 import {Exec} from '../exec.js';
 
-import {CreateOpts, CreateResponse, CreateResult, Manifest as ImageToolsManifest} from '../types/buildx/imagetools.js';
+import {AttestationInspectOpts, CreateOpts, CreateResponse, CreateResult, InspectOpts, Manifest as ImageToolsManifest} from '../types/buildx/imagetools.js';
 import {Image} from '../types/oci/config.js';
-import {Descriptor, Platform} from '../types/oci/descriptor.js';
+import {Descriptor} from '../types/oci/descriptor.js';
 import {Digest} from '../types/oci/digest.js';
 
 export interface ImageToolsOpts {
@@ -47,16 +49,8 @@ export class ImageTools {
     return await this.getCommand(['create', ...args]);
   }
 
-  public async inspectImage(name: string): Promise<Record<string, Image> | Image> {
+  public async inspectImage(opts: InspectOpts): Promise<Record<string, Image> | Image> {
-    const cmd = await this.getInspectCommand([name, '--format', '{{json .Image}}']);
+    return await this.inspect(opts, '{{json .Image}}', parsedOutput => {
-    return await Exec.getExecOutput(cmd.command, cmd.args, {
-      ignoreReturnCode: true,
-      silent: true
-    }).then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        throw new Error(res.stderr.trim());
-      }
-      const parsedOutput = JSON.parse(res.stdout);
       if (typeof parsedOutput === 'object' && !Array.isArray(parsedOutput) && parsedOutput !== null) {
         if (Object.prototype.hasOwnProperty.call(parsedOutput, 'config')) {
           return <Image>parsedOutput;
@@ -68,16 +62,8 @@ export class ImageTools {
     });
   }
 
-  public async inspectManifest(name: string): Promise<ImageToolsManifest | Descriptor> {
+  public async inspectManifest(opts: InspectOpts): Promise<ImageToolsManifest | Descriptor> {
-    const cmd = await this.getInspectCommand([name, '--format', '{{json .Manifest}}']);
+    return await this.inspect(opts, '{{json .Manifest}}', parsedOutput => {
-    return await Exec.getExecOutput(cmd.command, cmd.args, {
-      ignoreReturnCode: true,
-      silent: true
-    }).then(res => {
-      if (res.stderr.length > 0 && res.exitCode != 0) {
-        throw new Error(res.stderr.trim());
-      }
-      const parsedOutput = JSON.parse(res.stdout);
       if (typeof parsedOutput === 'object' && !Array.isArray(parsedOutput) && parsedOutput !== null) {
         if (Object.prototype.hasOwnProperty.call(parsedOutput, 'manifests')) {
           return <ImageToolsManifest>parsedOutput;
@@ -89,17 +75,18 @@ export class ImageTools {
     });
   }
 
-  public async attestationDescriptors(name: string, platform?: Platform): Promise<Array<Descriptor>> {
+  public async attestationDescriptors(opts: AttestationInspectOpts): Promise<Array<Descriptor>> {
-    const manifest = await this.inspectManifest(name);
+    const manifest = await this.inspectManifest(opts);
 
     if (typeof manifest !== 'object' || manifest === null || !('manifests' in manifest) || !Array.isArray(manifest.manifests)) {
-      throw new Error(`No descriptor found for ${name}`);
+      throw new Error(`No descriptor found for ${opts.name}`);
     }
 
     const attestations = manifest.manifests.filter(m => m.annotations?.['vnd.docker.reference.type'] === 'attestation-manifest');
-    if (!platform) {
+    if (!opts.platform) {
       return attestations;
     }
+    const platform = opts.platform;
 
     const manifestByDigest = new Map<string, Descriptor>();
     for (const m of manifest.manifests) {
@@ -121,8 +108,8 @@ export class ImageTools {
     });
   }
 
-  public async attestationDigests(name: string, platform?: Platform): Promise<Array<Digest>> {
+  public async attestationDigests(opts: AttestationInspectOpts): Promise<Array<Digest>> {
-    return (await this.attestationDescriptors(name, platform)).map(attestation => attestation.digest);
+    return (await this.attestationDescriptors(opts)).map(attestation => attestation.digest);
   }
 
   public async create(opts: CreateOpts): Promise<CreateResult | undefined> {
@@ -151,6 +138,11 @@ export class ImageTools {
         args.push('--platform', platform);
       }
     }
+    if (opts.annotations) {
+      for (const annotation of opts.annotations) {
+        args.push('--annotation', annotation);
+      }
+    }
     if (opts.dryRun) {
       args.push('--dry-run');
     } else {
@@ -164,9 +156,15 @@ export class ImageTools {
     }
 
     const cmd = await this.getCreateCommand(args);
+    if (opts.skipExec) {
+      core.info(`[command]${cmd.command} ${cmd.args.join(' ')}`);
+      core.info(`Skipped create command`);
+      return undefined;
+    }
+
     return await Exec.getExecOutput(cmd.command, cmd.args, {
       ignoreReturnCode: true,
-      silent: true
+      silent: opts.silent
     }).then(res => {
       if (res.stderr.length > 0 && res.exitCode != 0) {
         throw new Error(res.stderr.trim());
@@ -192,4 +190,44 @@ export class ImageTools {
       }
     });
   }
+
+  private async inspect<T>(opts: InspectOpts, format: string, parser: (parsedOutput: unknown) => T): Promise<T> {
+    const cmd = await this.getInspectCommand([opts.name, '--format', format]);
+    if (!opts.retryOnManifestUnknown) {
+      return await this.execInspect(cmd.command, cmd.args, parser);
+    }
+
+    const retries = opts.retryLimit ?? 15;
+    let lastError: Error | undefined;
+    for (let attempt = 0; attempt < retries; attempt++) {
+      try {
+        return await this.execInspect(cmd.command, cmd.args, parser);
+      } catch (err) {
+        lastError = err as Error;
+        if (!ImageTools.isManifestUnknownError(lastError.message) || attempt === retries - 1) {
+          throw lastError;
+        }
+        core.info(`buildx imagetools inspect command failed with MANIFEST_UNKNOWN, retrying attempt ${attempt + 1}/${retries}...\n${lastError.message}`);
+        await new Promise(res => setTimeout(res, Math.pow(2, attempt) * 100));
+      }
+    }
+
+    throw lastError ?? new Error(`ImageTools inspect command failed for ${opts.name}`);
+  }
+
+  private async execInspect<T>(command: string, args: Array<string>, parser: (parsedOutput: unknown) => T): Promise<T> {
+    return await Exec.getExecOutput(command, args, {
+      ignoreReturnCode: true,
+      silent: true
+    }).then(res => {
+      if (res.stderr.length > 0 && res.exitCode != 0) {
+        throw new Error(res.stderr.trim());
+      }
+      return parser(JSON.parse(res.stdout));
+    });
+  }
+
+  private static isManifestUnknownError(message: string): boolean {
+    return /(MANIFEST_UNKNOWN|manifest unknown|not found: not found)/i.test(message);
+  }
 }

src/context.ts

@@ -18,9 +18,6 @@ import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import * as tmp from 'tmp';
-import * as github from '@actions/github';
-
-import {GitHub} from './github/github.js';
 
 export class Context {
   private static readonly _tmpDir = fs.mkdtempSync(path.join(Context.ensureDirExists(process.env.RUNNER_TEMP || os.tmpdir()), 'docker-actions-toolkit-'));
@@ -37,25 +34,4 @@ export class Context {
   public static tmpName(options?: tmp.TmpNameOptions): string {
     return tmp.tmpNameSync(options);
   }
-
-  public static gitRef(): string {
-    return Context.parseGitRef(github.context.ref, github.context.sha);
-  }
-
-  public static parseGitRef(ref: string, sha: string): string {
-    const setPullRequestHeadRef: boolean = !!(process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF && process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF === 'true');
-    if (sha && ref && !ref.startsWith('refs/')) {
-      ref = `refs/heads/${ref}`;
-    }
-    if (sha && !ref.startsWith(`refs/pull/`)) {
-      ref = sha;
-    } else if (ref.startsWith(`refs/pull/`) && setPullRequestHeadRef) {
-      ref = ref.replace(/\/merge$/g, '/head');
-    }
-    return ref;
-  }
-
-  public static gitContext(): string {
-    return `${GitHub.serverURL}/${github.context.repo.owner}/${github.context.repo.repo}.git#${Context.gitRef()}`;
-  }
 }

src/sigstore/sigstore.ts

@@ -113,7 +113,11 @@ export class Sigstore {
       }
 
       for (const imageName of opts.imageNames) {
-        const attestationDigests = await this.imageTools.attestationDigests(`${imageName}@${opts.imageDigest}`);
+        const attestationDigests = await this.imageTools.attestationDigests({
+          name: `${imageName}@${opts.imageDigest}`,
+          retryOnManifestUnknown: opts.retryOnManifestUnknown,
+          retryLimit: opts.retryLimit
+        });
         for (const attestationDigest of attestationDigests) {
           const attestationRef = `${imageName}@${attestationDigest}`;
           await core.group(`Signing attestation manifest ${attestationRef}`, async () => {
@@ -183,7 +187,12 @@ export class Sigstore {
   public async verifyImageAttestations(image: string, opts: VerifySignedManifestsOpts): Promise<Record<string, VerifySignedManifestsResult>> {
     const result: Record<string, VerifySignedManifestsResult> = {};
 
-    const attestationDigests = await this.imageTools.attestationDigests(image, opts.platform);
+    const attestationDigests = await this.imageTools.attestationDigests({
+      name: image,
+      platform: opts.platform,
+      retryOnManifestUnknown: opts.retryOnManifestUnknown,
+      retryLimit: opts.retryLimit
+    });
     if (attestationDigests.length === 0) {
       throw new Error(`No attestation manifests found for ${image}`);
     }
@@ -237,7 +246,7 @@ export class Sigstore {
       };
     }
 
-    const retries = 15;
+    const retries = opts.retryLimit ?? 15;
     let lastError: Error | undefined;
     core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
     for (let attempt = 0; attempt < retries; attempt++) {

src/types/buildx/build.ts

@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+export type GitContextFormat = 'fragment' | 'query';
+
 export type BuildMetadata = {
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   [key: string]: any;

src/types/buildx/imagetools.ts

@@ -15,9 +15,19 @@
  */
 
 import {Versioned} from '../oci/versioned.js';
-import {Descriptor} from '../oci/descriptor.js';
+import {Descriptor, Platform} from '../oci/descriptor.js';
 import {Digest} from '../oci/digest.js';
 
+export interface InspectOpts {
+  name: string;
+  retryOnManifestUnknown?: boolean;
+  retryLimit?: number;
+}
+
+export interface AttestationInspectOpts extends InspectOpts {
+  platform?: Platform;
+}
+
 // https://github.com/docker/buildx/blob/62857022a08552bee5cad0c3044a9a3b185f0b32/util/imagetools/printers.go#L109-L123
 export interface Manifest extends Versioned {
   mediaType?: string;
@@ -32,7 +42,10 @@ export interface CreateOpts {
   sources: Array<string>;
   tags?: Array<string>;
   platforms?: Array<string>;
+  annotations?: Array<string>;
   dryRun?: boolean;
+  silent?: boolean;
+  skipExec?: boolean;
 }
 
 export interface CreateResponse {

src/types/sigstore/sigstore.ts

@@ -40,6 +40,8 @@ export interface SignAttestationManifestsOpts {
   imageNames: Array<string>;
   imageDigest: string;
   noTransparencyLog?: boolean;
+  retryOnManifestUnknown?: boolean;
+  retryLimit?: number;
 }
 
 export interface SignAttestationManifestsResult extends ParsedBundle {
@@ -51,6 +53,7 @@ export interface VerifySignedManifestsOpts {
   platform?: Platform;
   noTransparencyLog?: boolean;
   retryOnManifestUnknown?: boolean;
+  retryLimit?: number;
 }
 
 export interface VerifySignedManifestsResult {

src/util.ts

@@ -157,7 +157,10 @@ export class Util {
   }
 
   // https://github.com/golang/go/blob/f6b93a4c358b28b350dd8fe1780c1f78e520c09c/src/strconv/atob.go#L7-L18
-  public static parseBool(str: string): boolean {
+  public static parseBool(str: string | undefined): boolean {
+    if (str === undefined) {
+      return false;
+    }
     switch (str) {
       case '1':
       case 't':
@@ -178,6 +181,14 @@ export class Util {
     }
   }
 
+  public static parseBoolOrDefault(str: string | undefined, defaultValue = false): boolean {
+    try {
+      return this.parseBool(str);
+    } catch {
+      return defaultValue;
+    }
+  }
+
   public static formatFileSize(bytes: number): string {
     if (bytes === 0) return '0 Bytes';
     const k = 1024;

yarn.lock

@@ -12,9 +12,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@actions/artifact@npm:^6.2.0":
+"@actions/artifact@npm:^6.2.1":
-  version: 6.2.0
+  version: 6.2.1
-  resolution: "@actions/artifact@npm:6.2.0"
+  resolution: "@actions/artifact@npm:6.2.1"
   dependencies:
     "@actions/core": "npm:^3.0.0"
     "@actions/github": "npm:^9.0.0"
@@ -30,7 +30,7 @@ __metadata:
     archiver: "npm:^7.0.1"
     jwt-decode: "npm:^4.0.0"
     unzip-stream: "npm:^0.3.1"
-  checksum: 10/fa931b1222c0e08bca85d3cb18c2cd5ae912cce3f09ab3acd4ec3486e864337d65177089a14aef124d9696b9dd5309b273a9251e230172c79c2444af2c43443e
+  checksum: 10/1fad9b079ee2ab07f964b93bf7b4fc594d115199219baed74ac3bf2a8675e0b7ea57252eccbcdaaaa8fc8375742d23585cbd054f3b2d029c091817e0f257ce93
   languageName: node
   linkType: hard
 
@@ -370,7 +370,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@docker/actions-toolkit@workspace:."
   dependencies:
-    "@actions/artifact": "npm:^6.2.0"
+    "@actions/artifact": "npm:^6.2.1"
     "@actions/cache": "npm:^6.0.0"
     "@actions/core": "npm:^3.0.0"
     "@actions/exec": "npm:^3.0.0"