Merge pull request #1047 from broadinstitute/fix/docker-manifest-v2-format

dpark01 · web-flow · commit 48ea3248ffe3 · 2026-02-24T23:48:30.000-05:00
Switch Docker builds to Docker Manifest List v2 format
diff --git a/.github/actions/create-manifest/action.yml b/.github/actions/create-manifest/action.yml
@@ -1,5 +1,5 @@
 name: 'Create Multi-Arch Manifest'
-description: 'Create Docker manifest with OCI annotations'
+description: 'Create multi-arch Docker manifest'
 inputs:
   ghcr-repo:
     description: 'GHCR repository base (e.g., ghcr.io/broadinstitute/viral-ngs)'
@@ -14,8 +14,8 @@ inputs:
     description: 'Source ARM64 image tag'
     required: true
   description:
-    description: 'Image description for OCI annotation'
-    required: true
+    description: 'Image description (reserved for future use)'
+    required: false
 
 runs:
   using: 'composite'
@@ -24,10 +24,47 @@ runs:
       shell: bash
       run: |
         docker buildx imagetools create \
-          --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-          --annotation "index:org.opencontainers.image.description=${{ inputs.description }}" \
-          --annotation "index:org.opencontainers.image.licenses=MIT" \
-          --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
           --tag "${{ inputs.ghcr-repo }}:${{ inputs.target-tag }}" \
           "${{ inputs.ghcr-repo }}:${{ inputs.source-amd64 }}" \
           "${{ inputs.ghcr-repo }}:${{ inputs.source-arm64 }}"
+
+    - name: Verify Docker Manifest List v2 format
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        REPO_PATH="${REPO#ghcr.io/}"
+
+        # Fetch registry access token
+        TOKEN=$(curl -fsS "https://ghcr.io/token?service=ghcr.io&scope=repository:${REPO_PATH}:pull" | jq -er .token) || {
+          echo "FAIL: Unable to retrieve token from ghcr.io"
+          exit 1
+        }
+
+        # Fetch manifest and capture HTTP status code + content type
+        HTTP_STATUS=$(curl -sS -o /dev/null -w '%{http_code}' \
+          -H "Authorization: Bearer $TOKEN" \
+          -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
+          "https://ghcr.io/v2/${REPO_PATH}/manifests/${{ inputs.target-tag }}") || {
+          echo "FAIL: Unable to retrieve manifest from ghcr.io for tag '${{ inputs.target-tag }}'"
+          exit 1
+        }
+
+        if [ "$HTTP_STATUS" != "200" ]; then
+          echo "FAIL: Expected HTTP 200 when fetching manifest, got: $HTTP_STATUS"
+          exit 1
+        fi
+
+        CONTENT_TYPE=$(curl -sS -D- -o /dev/null \
+          -H "Authorization: Bearer $TOKEN" \
+          -H "Accept: application/vnd.docker.distribution.manifest.list.v2+json" \
+          "https://ghcr.io/v2/${REPO_PATH}/manifests/${{ inputs.target-tag }}" | grep -i content-type)
+
+        if echo "$CONTENT_TYPE" | grep -qi "manifest.list.v2"; then
+          echo "OK: Docker Manifest List v2 format confirmed"
+        else
+          echo "FAIL: Expected Docker Manifest List v2, got: $CONTENT_TYPE"
+          exit 1
+        fi
+      env:
+        REPO: ${{ inputs.ghcr-repo }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -161,7 +161,9 @@ jobs:
           context: .
           file: docker/Dockerfile.baseimage
           platforms: linux/amd64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-amd64
           cache-from: |
             type=registry,ref=${{ env.GHCR_REPO }}:cache-baseimage-amd64-${{ needs.get-version.outputs.image-tag-prefix }}
@@ -195,7 +197,9 @@ jobs:
           context: .
           file: docker/Dockerfile.baseimage
           platforms: linux/arm64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-arm64
           cache-from: |
             type=registry,ref=${{ env.GHCR_REPO }}:cache-baseimage-arm64-${{ needs.get-version.outputs.image-tag-prefix }}
@@ -253,20 +257,12 @@ jobs:
 
           # Create version tag
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - base image" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${VERSION}-baseimage \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-arm64
 
           # Create major.minor tag
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - base image" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${MAJOR_MINOR}-baseimage \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-arm64
@@ -302,7 +298,9 @@ jobs:
           context: .
           file: docker/Dockerfile.core
           platforms: linux/amd64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-amd64
@@ -341,7 +339,9 @@ jobs:
           context: .
           file: docker/Dockerfile.core
           platforms: linux/arm64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-baseimage-arm64
@@ -403,19 +403,11 @@ jobs:
           MAJOR_MINOR=$(echo "$VERSION" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - core utilities" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${VERSION}-core \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - core utilities" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${MAJOR_MINOR}-core \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -451,7 +443,9 @@ jobs:
           context: .
           file: docker/Dockerfile.assemble
           platforms: linux/amd64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-amd64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -490,7 +484,9 @@ jobs:
           context: .
           file: docker/Dockerfile.assemble
           platforms: linux/arm64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-arm64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -552,19 +548,11 @@ jobs:
           MAJOR_MINOR=$(echo "$VERSION" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - assembly" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${VERSION}-assemble \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-arm64
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - assembly" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${MAJOR_MINOR}-assemble \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-assemble-arm64
@@ -600,7 +588,9 @@ jobs:
           context: .
           file: docker/Dockerfile.classify
           platforms: linux/amd64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-amd64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -639,7 +629,9 @@ jobs:
           context: .
           file: docker/Dockerfile.classify
           platforms: linux/arm64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-arm64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -701,19 +693,11 @@ jobs:
           MAJOR_MINOR=$(echo "$VERSION" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - metagenomic classification" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${VERSION}-classify \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-arm64
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - metagenomic classification" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${MAJOR_MINOR}-classify \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-classify-arm64
@@ -749,7 +733,9 @@ jobs:
           context: .
           file: docker/Dockerfile.phylo
           platforms: linux/amd64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-amd64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -788,7 +774,9 @@ jobs:
           context: .
           file: docker/Dockerfile.phylo
           platforms: linux/arm64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-arm64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -850,19 +838,11 @@ jobs:
           MAJOR_MINOR=$(echo "$VERSION" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - phylogenetics" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${VERSION}-phylo \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-arm64
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - phylogenetics" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${MAJOR_MINOR}-phylo \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-phylo-arm64
@@ -898,7 +878,9 @@ jobs:
           context: .
           file: docker/Dockerfile.mega
           platforms: linux/amd64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-amd64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-amd64
@@ -937,7 +919,9 @@ jobs:
           context: .
           file: docker/Dockerfile.mega
           platforms: linux/arm64
-          push: true
+          provenance: false
+          sbom: false
+          outputs: type=image,push=true,oci-mediatypes=false
           tags: ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-arm64
           build-args: |
             BASEIMAGE=${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-core-arm64
@@ -993,19 +977,11 @@ jobs:
           MAJOR_MINOR=$(echo "$VERSION" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - all tools combined" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${VERSION} \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-arm64
 
           docker buildx imagetools create \
-            --annotation "index:org.opencontainers.image.source=https://github.com/broadinstitute/viral-ngs" \
-            --annotation "index:org.opencontainers.image.description=Viral genomics analysis tools - all tools combined" \
-            --annotation "index:org.opencontainers.image.licenses=MIT" \
-            --annotation "index:org.opencontainers.image.authors=viral-ngs@broadinstitute.org" \
             --tag ${{ env.GHCR_REPO }}:${MAJOR_MINOR} \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-amd64 \
             ${{ env.GHCR_REPO }}:${{ needs.get-version.outputs.image-tag-prefix }}-mega-arm64
