Skip to content

Commit 0b9f32c

Browse files
dpark01dpark01
committed
Switch Docker builds to Docker Manifest List v2 format for Cromwell compatibility
Force Docker v2 manifest format in per-arch builds by disabling attestation manifests (provenance/SBOM) and setting oci-mediatypes=false. Remove OCI-only annotations from manifest creation. Add CI verification step to confirm Docker Manifest List v2 output format. Fixes #1046
1 parent c36842d commit 0b9f32c

2 files changed

Lines changed: 56 additions & 19 deletions

File tree

.github/actions/create-manifest/action.yml

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
name: 'Create Multi-Arch Manifest'
2-
description: 'Create Docker manifest with OCI annotations'
2+
description: 'Create multi-arch Docker manifest'
33
inputs:
44
ghcr-repo:
55
description: 'GHCR repository base (e.g., ghcr.io/broadinstitute/viral-ngs)'
@@ -14,8 +14,8 @@ inputs:
1414
description: 'Source ARM64 image tag'
1515
required: true
1616
description:
17-
description: 'Image description for OCI annotation'
18-
required: true
17+
description: 'Image description (reserved for future use)'
18+
required: false
1919

2020
runs:
2121
using: 'composite'
@@ -24,10 +24,23 @@ runs:
2424
shell: bash
2525
run: |
2626
docker buildx imagetools create \
27-
--annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
28-
--annotation "index:org.opencontainers.image.description=${{ inputs.description }}" \
29-
--annotation "index:org.opencontainers.image.licenses=MIT" \
30-
--annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
3127
--tag "${{ inputs.ghcr-repo }}:${{ inputs.target-tag }}" \
3228
"${{ inputs.ghcr-repo }}:${{ inputs.source-amd64 }}" \
3329
"${{ inputs.ghcr-repo }}:${{ inputs.source-arm64 }}"
30+
31+
- name: Verify Docker Manifest List v2 format
32+
shell: bash
33+
run: |
34+
TOKEN=$(curl -s "https://ghcr.io/token?service=ghcr.io&scope=repository:${REPO#ghcr.io/}:pull" | jq -r .token)
35+
CONTENT_TYPE=$(curl -s -D- -o /dev/null \
36+
-H "Authorization: Bearer $TOKEN" \
37+
-H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
38+
"https://ghcr.io/v2/${REPO#ghcr.io/}/manifests/${{ inputs.target-tag }}" | grep -i content-type)
39+
if echo "$CONTENT_TYPE" | grep -q "manifest.list.v2"; then
40+
echo "OK: Docker Manifest List v2 format confirmed"
41+
else
42+
echo "FAIL: Expected Docker Manifest List v2, got: $CONTENT_TYPE"
43+
exit 1
44+
fi
45+
env:
46+
REPO: ${{ inputs.ghcr-repo }}

.github/workflows/docker.yml

Lines changed: 36 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,9 @@ jobs:
161161
context: .
162162
file: docker/Dockerfile.baseimage
163163
platforms: linux/amd64
164-
push: true
164+
provenance: false
165+
sbom: false
166+
outputs: type=image,push=true,oci-mediatypes=false
165167
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-amd64
166168
cache-from: |
167169
type=registry,ref=${{ env.GHCR_REPO }}:cache-baseimage-amd64-${{ needs.get-version.outputs.image-tag-prefix }}
@@ -195,7 +197,9 @@ jobs:
195197
context: .
196198
file: docker/Dockerfile.baseimage
197199
platforms: linux/arm64
198-
push: true
200+
provenance: false
201+
sbom: false
202+
outputs: type=image,push=true,oci-mediatypes=false
199203
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-arm64
200204
cache-from: |
201205
type=registry,ref=${{ env.GHCR_REPO }}:cache-baseimage-arm64-${{ needs.get-version.outputs.image-tag-prefix }}
@@ -302,7 +306,9 @@ jobs:
302306
context: .
303307
file: docker/Dockerfile.core
304308
platforms: linux/amd64
305-
push: true
309+
provenance: false
310+
sbom: false
311+
outputs: type=image,push=true,oci-mediatypes=false
306312
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
307313
build-args: |
308314
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-amd64
@@ -341,7 +347,9 @@ jobs:
341347
context: .
342348
file: docker/Dockerfile.core
343349
platforms: linux/arm64
344-
push: true
350+
provenance: false
351+
sbom: false
352+
outputs: type=image,push=true,oci-mediatypes=false
345353
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
346354
build-args: |
347355
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-arm64
@@ -451,7 +459,9 @@ jobs:
451459
context: .
452460
file: docker/Dockerfile.assemble
453461
platforms: linux/amd64
454-
push: true
462+
provenance: false
463+
sbom: false
464+
outputs: type=image,push=true,oci-mediatypes=false
455465
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-amd64
456466
build-args: |
457467
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -490,7 +500,9 @@ jobs:
490500
context: .
491501
file: docker/Dockerfile.assemble
492502
platforms: linux/arm64
493-
push: true
503+
provenance: false
504+
sbom: false
505+
outputs: type=image,push=true,oci-mediatypes=false
494506
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-arm64
495507
build-args: |
496508
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -600,7 +612,9 @@ jobs:
600612
context: .
601613
file: docker/Dockerfile.classify
602614
platforms: linux/amd64
603-
push: true
615+
provenance: false
616+
sbom: false
617+
outputs: type=image,push=true,oci-mediatypes=false
604618
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-amd64
605619
build-args: |
606620
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -639,7 +653,9 @@ jobs:
639653
context: .
640654
file: docker/Dockerfile.classify
641655
platforms: linux/arm64
642-
push: true
656+
provenance: false
657+
sbom: false
658+
outputs: type=image,push=true,oci-mediatypes=false
643659
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-arm64
644660
build-args: |
645661
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -749,7 +765,9 @@ jobs:
749765
context: .
750766
file: docker/Dockerfile.phylo
751767
platforms: linux/amd64
752-
push: true
768+
provenance: false
769+
sbom: false
770+
outputs: type=image,push=true,oci-mediatypes=false
753771
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-amd64
754772
build-args: |
755773
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -788,7 +806,9 @@ jobs:
788806
context: .
789807
file: docker/Dockerfile.phylo
790808
platforms: linux/arm64
791-
push: true
809+
provenance: false
810+
sbom: false
811+
outputs: type=image,push=true,oci-mediatypes=false
792812
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-arm64
793813
build-args: |
794814
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -898,7 +918,9 @@ jobs:
898918
context: .
899919
file: docker/Dockerfile.mega
900920
platforms: linux/amd64
901-
push: true
921+
provenance: false
922+
sbom: false
923+
outputs: type=image,push=true,oci-mediatypes=false
902924
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-amd64
903925
build-args: |
904926
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -937,7 +959,9 @@ jobs:
937959
context: .
938960
file: docker/Dockerfile.mega
939961
platforms: linux/arm64
940-
push: true
962+
provenance: false
963+
sbom: false
964+
outputs: type=image,push=true,oci-mediatypes=false
941965
tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-arm64
942966
build-args: |
943967
BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64

0 commit comments

Comments
 (0)