This change includes a number of updates to the action in order to pivot from uploading attestations to the Attestations API to our own package in GHCR. This allows the attestation to sit alongside the actual artifact, which simplifies access flows.
This means:
Creating two new manifest types, one for attestations and one for referrer tag indexes
Adding new annotations for all three of these so we can perform special handling in the backend
Uploading both of these to GHCR before the artifact to avoid race conditions or partial failure
Skipping writes to the attestations API when generating our attestation
A few other changes were made as I was updating this, including:
No longer including the config layer in the "layers" part of the OCI manifest, since it's already in "config"
Simplifying the configuration of the GHCR client by making it a class with state (such as token & registry URL)
Adding retries to all HTTP requests from the GHCR client to make it more resilient to GHCR instability
Moving any logic specific to action packages out of the GHCR client and making it a bit more "generic"
We should consider adding more integrity checks for things like the correct SHAs being in the correct places, but since this is all one small project and we create all the things in oci-container.ts, we can be assured it hasn't changed after its creation.
This change includes a number of updates to the action in order to pivot from uploading attestations to the Attestations API to our own package in GHCR. This allows the attestation to sit alongside the actual artifact, which simplifies access flows.
This means:
A few other changes were made as I was updating this, including:
We should consider adding more integrity checks for things like the correct SHAs being in the correct places, but since this is all one small project and we create all the things in oci-container.ts, we can be assured it hasn't changed after its creation.