jobs/node-image-build: Use manifest digests instead of tags when pushing

Retrieve the digests of intermediary manifests instead of relying on the
tags they were pushed with.  This prevents accidentally referencing
stale manifests that may still exist locally on the builders from
previous runs.

We were already using digests for the images within the manifests, so
this also improves overall consistency.

Co-authored-by: Renata Ravanelli <[email protected]>

Author: jbtrystram

jobs/build-node-image.Jenkinsfile

@@ -77,6 +77,8 @@ lock(resource: "build-node-image") {
         pipeutils.addOptionalRootCA()
 
         def yumrepos_file
+        def node_image_manifest_digest
+        def extensions_image_manifest_digest
         stage('Init') {
             shwrap("git clone ${stream_info.yumrepo.url} yumrepos")
             for (repo in stream_info.yumrepo.files) {
@@ -90,7 +92,7 @@ lock(resource: "build-node-image") {
         stage('Build Node Image') {
             withCredentials([file(credentialsId: 'oscontainer-push-registry-secret', variable: 'REGISTRY_AUTH_FILE')]) {
                  def build_from = params.FROM ?: stream_info.from
-                 pipeutils.build_and_push_image(arches: arches,
+                 node_image_manifest_digest = pipeutils.build_and_push_image(arches: arches,
                                                 src_commit: commit,
                                                 src_url: src_config_url,
                                                 staging_repository: registry_staging_repo,
@@ -104,8 +106,8 @@ lock(resource: "build-node-image") {
         stage('Build Extensions Image') {
             withCredentials([file(credentialsId: 'oscontainer-push-registry-secret', variable: 'REGISTRY_AUTH_FILE')]) {
                 // Use the node image as from
-                def build_from = "${registry_staging_repo}:${registry_staging_tag}"
-                pipeutils.build_and_push_image(arches: arches,
+                def build_from = "${registry_staging_repo}@${node_image_manifest_digest}"
+                extensions_image_manifest_digest = pipeutils.build_and_push_image(arches: arches,
                                                src_commit: commit,
                                                src_url: src_config_url,
                                                staging_repository: registry_staging_repo,
@@ -127,11 +129,11 @@ lock(resource: "build-node-image") {
                 // So we just recopy the same image multiple times.
                 // https://github.com/containers/skopeo/issues/513
                 for (tag in registry_prod_tags) {
-                    pipeutils.copy_image("${registry_staging_repo}:${registry_staging_tag}-extensions",
+                    pipeutils.copy_image("${registry_staging_repo}@${extensions_image_manifest_digest}",
                                      "${registry_prod_repo}:${tag}-extensions")
                 }
                 for (tag in registry_prod_tags) {
-                    pipeutils.copy_image("${registry_staging_repo}:${registry_staging_tag}",
+                    pipeutils.copy_image("${registry_staging_repo}@${node_image_manifest_digest}",
                                      "${registry_prod_repo}:${tag}")
                 }
             }

utils.groovy

@@ -873,15 +873,22 @@ def push_manifest(digests, repo, manifest_tag) {
     for (digest in digests) {
         images += " --image=docker://${repo}@${digest}"
     }
+    def digest = ""
+    def digest_file = "${manifest_tag}.digestfile"
+    // save the digest to a file named after the tag we are pushing
+    push_args = ["--write-digest-to-file", digest_file]
     // arbitrarily selecting the s390x builder; we don't run this
     // locally because podman wants user namespacing (yes, even just
     // to push a manifest...)
     pipeutils.withPodmanRemoteArchBuilder(arch: "s390x") {
         shwrap("""
         cosa push-container-manifest \
-            --tag ${manifest_tag} --repo ${repo} ${images}
+            --tag ${manifest_tag} --repo ${repo} ${images} ${push_args.join(' ')}
         """)
     }
+    digest = readFile(digest_file)
+    shwrap("rm ${digest_file}")
+    return digest
 }
 
 def copy_image(src_image, dest_image, authfile = "") {
@@ -925,13 +932,15 @@ def build_and_push_image(params = [:]) {
 
     def secret = params.get('secret', "");
     def from = params.get('from', "");
+    def manifest_digest = ""
     def extra_build_args = params.get('extra_build_args', "");
 
     def digests = build_remote_image(params['arches'], params['src_commit'], params['src_url'], params['staging_repository'],
                                      params['image_tag_staging'], secret, from, extra_build_args)
     stage("Push Manifest") {
-        push_manifest(digests, params['staging_repository'], params['manifest_tag_staging'])
+        manifest_digest = push_manifest(digests, params['staging_repository'], params['manifest_tag_staging'])
     }
+    return manifest_digest
 }
 
 return this