feat(docker)!: add digest to images uri

neilime · neilime · commit 1ecdfcc17a9d · 2025-07-11T09:29:07.000+02:00
diff --git a/.github/workflows/__test-action-docker-build-image.yml b/.github/workflows/__test-action-docker-build-image.yml
@@ -65,16 +65,12 @@ jobs:
               "hoverkraft-tech/ci-github-container/application-test",
               `"repository" output is not valid`
             );
-            assert.equal(
-              builtImage.digests.length,
-              1,
-              `"digests" output is not valid`
-            );
             assert.match(
-              builtImage.digests[0],
-              /^ghcr\.io\/hoverkraft-tech\/ci-github-container\/application-test@sha256:[a-f0-9]{64}$/,
-              `"digests" output is not valid`
+              builtImage.digest,
+              /^sha256:[a-f0-9]{64}$/,
+              `"digest" output is not valid`
             );
+            assert.equal(builtImage.image, `ghcr.io/hoverkraft-tech/ci-github-container/application-test@${builtImage.digest}`, `"image" output is not valid`);
 
             // Annotations
             assert.match(
@@ -123,21 +119,6 @@ jobs:
               assert.equal(builtImage.tags[0], prShaTag, `"tags" output is not valid`);
               assert.equal(builtImage.tags[1], prTag, `"tags" output is not valid`);
 
-              assert.equal(
-                builtImage.images.length,
-                2,
-                `"images" output is not valid`
-              );
-              assert.equal(
-                builtImage.images[0],
-                `ghcr.io/hoverkraft-tech/ci-github-container/application-test:${prShaTag}`,
-                `"images" output is not valid`
-              );
-              assert.equal(
-                builtImage.images[1],
-                `ghcr.io/hoverkraft-tech/ci-github-container/application-test:${prTag}`,
-                `"images" output is not valid`
-              );
               assert.equal(
                 builtImage.annotations["org.opencontainers.image.version"],
                 prTag,
@@ -151,19 +132,6 @@ jobs:
               assert.equal(builtImage.tags[0], refTag, `"tags" output is not valid`);
               assert.equal(builtImage.tags[1], "latest", `"tags" output is not valid`);
 
-              assert.equal(builtImage.images.length, 2, `"images" output is not valid`);
-              assert.equal(
-                builtImage.images[0],
-                `ghcr.io/hoverkraft-tech/ci-github-container/application-test:${refTag}`,
-                `"images" output is not valid`
-              );
-
-              assert.equal(
-                builtImage.images[1],
-                `ghcr.io/hoverkraft-tech/ci-github-container/application-test:latest`,
-                `"images" output is not valid`
-              );
-
               assert.equal(
                 builtImage.annotations["org.opencontainers.image.version"],
                 refTag,
@@ -177,20 +145,18 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ github.token }}
 
-      - name: Assert - Check docker digests
+      - name: Assert - Check docker digest
         run: |
-          DIGESTS=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.digests[]')
-          for DIGEST in $DIGESTS; do
-            if ! docker pull "$DIGEST"; then
-              echo "Failed to pull $DIGEST"
-              exit 1
-            fi
-
-            if ! docker manifest inspect "$DIGEST"; then
-              echo "Failed to inspect $DIGEST"
-              exit 1
-            fi
-          done
+          DIGEST=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.digest')
+          if ! docker pull "$DIGEST"; then
+            echo "Failed to pull $DIGEST"
+            exit 1
+          fi
+
+          if ! docker manifest inspect "$DIGEST"; then
+            echo "Failed to inspect $DIGEST"
+            exit 1
+          fi
 
   tests-with-given-tag:
     name: Test for "docker/build-image" action with given tag
@@ -249,19 +215,17 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ github.token }}
 
-      - name: Assert - Check docker digests
+      - name: Assert - Check docker image
         run: |
-          DIGESTS=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.digests[]')
-          for DIGEST in $DIGESTS; do
-            if ! docker pull "$DIGEST"; then
-              echo "Failed to pull $DIGEST"
-              exit 1
-            fi
-
-            if ! docker manifest inspect "$DIGEST"; then
-              echo "Failed to inspect $DIGEST"
-              exit 1
-            fi
-          done
+          IMAGE=$(echo '${{ steps.build-image.outputs.built-image }}' | jq -r '.image')
+          if ! docker pull "$IMAGE"; then
+            echo "Failed to pull $IMAGE"
+            exit 1
+          fi
+
+          if ! docker manifest inspect "$IMAGE"; then
+            echo "Failed to inspect $IMAGE"
+            exit 1
+          fi
 
 # jscpd:ignore-end
diff --git a/actions/docker/build-image/action.yml b/actions/docker/build-image/action.yml
@@ -1,10 +1,14 @@
 ---
-name: "Build image"
-description: "Action to build an image with Docker for a specific platform"
-author: Hoverkraft
+name: "Docker - Build image"
+description: |
+  Action to build and push a "raw" image with Docker for a specific platform.
+  This action uses the Docker Buildx plugin to build the image.
+  It supports caching.
+  It returns the image digest uri, tags, and annotations, but does not handle it itself.
+author: hoverkraft
 branding:
   icon: package
-  color: gray-dark
+  color: blue
 
 outputs:
   built-image:
@@ -14,17 +18,12 @@ outputs:
         "name": "application",
         "registry": "ghcr.io",
         "repository": "my-org/my-repo/application",
+        "digest": "sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
+        "image": "ghcr.io/my-org/my-repo/application@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d",
         "tags": [
           "pr-63-5222075",
           "pr-63"
         ],
-        "images": [
-          "ghcr.io/my-org/my-repo/application:pr-63-5222075",
-          "ghcr.io/my-org/my-repo/application:pr-63"
-        ],
-        "digests": [
-          "ghcr.io/my-org/my-repo/application@sha256:d31aa93410434ac9dcfc9179cac2cb1fd4d7c27f11527addc40299c7c675f49d"
-        ],
         "annotations": {
           "org.opencontainers.image.created": "2021-09-30T14:00:00Z",
           "org.opencontainers.image.description": "Application image"
@@ -257,8 +256,7 @@ runs:
           }
 
           if (builtMetadata["containerimage.digest"] === undefined) {
-            core.setFailed('Given "metadata"."containerimage.digest" output is undefined.');
-            return;
+            return core.setFailed('Given "metadata"."containerimage.digest" output is undefined.');
           }
 
           const name = `${{ inputs.image }}`;
@@ -273,15 +271,26 @@ runs:
           .map(tag => tag.replace(/[^\/]+\/[^:]+:(.+)/,'$1').trim())
           .filter(tag => tag !== "");
 
-          const images = tags.map(tag => `${image}:${tag}`);
           const digests = builtMetadata["containerimage.digest"]
             .split(",")
             .map(digest => {
               const cleanedDigest = digest.trim();
-              return cleanedDigest !== "" ? `${image}@${cleanedDigest}` : null;
+              return cleanedDigest !== "" ? cleanedDigest : null;
             })
             .filter(digest => digest !== null);
 
+          const uniqueDigests = [...new Set(digests)];
+          if (uniqueDigests.length === 0) {
+            return core.setFailed('No valid digests found in "containerimage.digest" output.');
+          }
+
+          if( uniqueDigests.length > 1 ) {
+            return core.setFailed(`Multiple digests found: ${uniqueDigests.join(", ")}.`);
+          }
+
+          const digest = uniqueDigests[0];
+          const image = `${image}@${digest}`;
+
           const annotations = `${{ steps.metadata.outputs.annotations }}`
             .split("\n")
             .map(annotation => {
@@ -303,8 +312,8 @@ runs:
             annotations,
             registry,
             repository,
-            images,
-            digests,
+            image,
+            digest
           };
 
           core.setOutput("built-image", JSON.stringify(builtImage));
