question: Can the remote.Referrers function be updated to handle a 406 response when attempting a request against the referrers API endpoint?

[malancas]

When the remote.Referrers function fetches a list of referrers for a manifest, it first attempts to make a request to the referrers API endpoint. If that fails, it falls back to making a request to the manifests endpoint using the referrers tag schema.

While using this function with a registry that does not support the referrers API endpoint, I found the function was unexpectedly failing. Digging into the error, I found the registry was returning a 406 instead of a 404 when the function attempted to make a request to the referrers endpoint. Adding http.StatusNotAcceptable to the list of handled status codes in transport.CheckError here fixed the problem for me.

Would it be possible to add http.StatusNotAcceptable to the list of status codes handled by transport.CheckError? Since it is a 4XX error, the Referrers is able to fallback and try the manifests API endpoint.

[GregoireW]

FYI

I put this here, even though it is related but not really...

Playing with the new GitHub attestation api and modified sigstore policy controller, I got an issue with Google Artifact Registry when retrieving the referrers. (OCI 1.0, but redirect to authentication page when referrer api call is made, so response is 200 + content text/html)

As the spec is clear the content type must be application/vnd.oci.image.index.v1+json I created a PR #1968