newrelic
diff --git a/‎cmd/agent-metadata-action/main.go‎
Lines changed: 24 additions & 33 deletions b/‎cmd/agent-metadata-action/main.go‎
Lines changed: 24 additions & 33 deletions
diff --git a/‎cmd/agent-metadata-action/main_test.go‎
Lines changed: 25 additions & 33 deletions b/‎cmd/agent-metadata-action/main_test.go‎
Lines changed: 25 additions & 33 deletions
diff --git a/‎internal/models/binary.go‎
Lines changed: 2 additions & 2 deletions b/‎internal/models/binary.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎internal/models/binary_test.go‎
Lines changed: 4 additions & 4 deletions b/‎internal/models/binary_test.go‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎internal/oci/client.go‎
Lines changed: 36 additions & 27 deletions b/‎internal/oci/client.go‎
Lines changed: 36 additions & 27 deletions
@@ -33,7 +33,9 @@ var createMetadataClientFunc = func(baseURL, token string) metadataClient {
 
 // ociHandleUploadsFunc is a variable that holds the function to handle OCI uploads
 // This allows tests to override the implementation
-var ociHandleUploadsFunc = oci.HandleUploads
+var ociHandleUploadsFunc = func(ctx context.Context, ociConfig *models.OCIConfig, workspace, version string) (string, error) {
+	return oci.HandleUploads(ctx, ociConfig, workspace, version)
+}
 
 // initNewRelic initializes the New Relic application
 // Returns nil if APM_CONTROL_NR_LICENSE_KEY is not set (silent no-op mode)
@@ -238,41 +240,30 @@ func runAgentFlow(ctx context.Context, client metadataClient, workspace, agentTy
 		return fmt.Errorf("error loading OCI config: %w", err)
 	}
 
-	// Step 2: Upload binaries
-	uploadResults, err := ociHandleUploadsFunc(ctx, &ociConfig, workspace, agentType, agentVersion)
-	if err != nil {
-		return fmt.Errorf("binary upload failed: %w", err)
-	}
-
-	// Step 3: Sign all uploaded artifacts
 	if ociConfig.IsEnabled() {
-		successfulUploads := []models.ArtifactUploadResult{}
-		for _, result := range uploadResults {
-			if result.Uploaded {
-				successfulUploads = append(successfulUploads, result)
-			}
+		// Step 2: Upload binaries
+		indexDigest, err := ociHandleUploadsFunc(ctx, &ociConfig, workspace, agentVersion)
+		if err != nil {
+			return fmt.Errorf("binary upload failed: %w", err)
+		}
+
+		// Step 3: Sign the manifest index
+		githubRepo := config.GetRepo()
+		if githubRepo == "" {
+			return fmt.Errorf("GITHUB_REPOSITORY environment variable is required for artifact signing")
+		}
+
+		// Extract repository name from full path (e.g., "agent-metadata-action" from "newrelic/agent-metadata-action")
+		repoParts := strings.Split(githubRepo, "/")
+		repoName := repoParts[len(repoParts)-1]
+
+		token := config.GetToken()
+		if token == "" {
+			return fmt.Errorf("NEWRELIC_TOKEN is required for artifact signing")
 		}
 
-		if len(successfulUploads) > 0 {
-			githubRepo := config.GetRepo()
-			if githubRepo == "" {
-				return fmt.Errorf("GITHUB_REPOSITORY environment variable is required for artifact signing")
-			}
-
-			// Extract repository name from full path (e.g., "agent-metadata-action" from "newrelic/agent-metadata-action")
-			repoParts := strings.Split(githubRepo, "/")
-			repoName := repoParts[len(repoParts)-1]
-
-			token := config.GetToken()
-			if token == "" {
-				return fmt.Errorf("NEWRELIC_TOKEN is required for artifact signing")
-			}
-
-			if err := sign.SignArtifacts(ctx, successfulUploads, ociConfig.Registry, token, repoName, agentVersion); err != nil {
-				return fmt.Errorf("artifact signing failed: %w", err)
-			}
-		} else {
-			logging.Warn(ctx, "OCI registry is enabled but no artifacts were successfully uploaded")
+		if err := sign.SignIndex(ctx, ociConfig.Registry, indexDigest, agentVersion, token, repoName); err != nil {
+			return fmt.Errorf("artifact signing failed: %w", err)
 		}
 	}
 
 
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -585,12 +586,10 @@ func TestRunAgentFlow_SigningSuccess_SingleArtifact(t *testing.T) {
 	}
 	defer func() { createMetadataClientFunc = originalCreateClient }()
 
-	// Mock OCI handler to return 1 successful upload
+	// Mock OCI handler to return index digest
 	originalOCIHandler := ociHandleUploadsFunc
-	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, agentType, version string) ([]models.ArtifactUploadResult, error) {
-		return []models.ArtifactUploadResult{
-			createSuccessfulUploadResult("linux-tar", "sha256:abc123", "v1.2.3-linux-amd64"),
-		}, nil
+	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, version string) (string, error) {
+		return "sha256:index123", nil
 	}
 	defer func() { ociHandleUploadsFunc = originalOCIHandler }()
 
@@ -604,14 +603,14 @@ func TestRunAgentFlow_SigningSuccess_SingleArtifact(t *testing.T) {
 		assert.Equal(t, "/v1/signing/agent-metadata-action/sign", r.URL.Path)
 		assert.Equal(t, "Bearer test-token", r.Header.Get("Authorization"))
 
-		// Validate request body
+		// Validate request body - should be signing the manifest index
 		body, _ := io.ReadAll(r.Body)
 		var signingReq models.SigningRequest
 		json.Unmarshal(body, &signingReq)
 		assert.Equal(t, "docker.io", signingReq.Registry)
 		assert.Equal(t, "newrelic/agents", signingReq.Repository)
-		assert.Equal(t, "v1.2.3-linux-amd64", signingReq.Tag)
-		assert.Equal(t, "sha256:abc123", signingReq.Digest)
+		assert.Equal(t, "1.2.3", signingReq.Tag)
+		assert.Equal(t, "sha256:index123", signingReq.Digest)
 
 		w.WriteHeader(http.StatusOK)
 		w.Write([]byte(`{"success": true}`))
@@ -649,10 +648,9 @@ func TestRunAgentFlow_SigningSuccess_SingleArtifact(t *testing.T) {
 	// Verify signing requests
 	assert.Equal(t, 1, requestCount, "Should have made 1 signing request")
 
-	// Verify logging
-	assert.Contains(t, outputStr, "Starting artifact signing for 1 artifacts")
-	assert.Contains(t, outputStr, "Successfully signed artifact linux-tar")
-	assert.Contains(t, outputStr, "Artifact signing complete: 1/1 signed successfully")
+	// Verify logging - now signing the manifest index
+	assert.Contains(t, outputStr, "Starting manifest index signing")
+	assert.Contains(t, outputStr, "Successfully signed manifest index")
 	assert.NotContains(t, stderrStr, "::error::")
 }
 
@@ -666,8 +664,9 @@ func TestRunAgentFlow_SigningDisabled_OCINotEnabled(t *testing.T) {
 
 	// Mock OCI handler should not be called since OCI is disabled
 	originalOCIHandler := ociHandleUploadsFunc
-	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, agentType, version string) ([]models.ArtifactUploadResult, error) {
-		return []models.ArtifactUploadResult{}, nil
+	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, version string) (string, error) {
+		t.Fatal("OCI handler should not be called when OCI is disabled")
+		return "", nil
 	}
 	defer func() { ociHandleUploadsFunc = originalOCIHandler }()
 
@@ -706,7 +705,7 @@ func TestRunAgentFlow_SigningDisabled_OCINotEnabled(t *testing.T) {
 
 	// Verify NO signing requests were made
 	assert.Equal(t, 0, requestCount, "Should have made 0 signing requests")
-	assert.NotContains(t, outputStr, "Starting artifact signing")
+	assert.NotContains(t, outputStr, "Starting manifest index signing")
 	assert.NotContains(t, stderrStr, "::error::")
 }
 
@@ -718,13 +717,10 @@ func TestRunAgentFlow_SigningSkipped_AllUploadsFailed(t *testing.T) {
 	}
 	defer func() { createMetadataClientFunc = originalCreateClient }()
 
-	// Mock OCI handler to return only failed uploads
+	// Mock OCI handler to return error (fail-fast behavior)
 	originalOCIHandler := ociHandleUploadsFunc
-	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, agentType, version string) ([]models.ArtifactUploadResult, error) {
-		return []models.ArtifactUploadResult{
-			createFailedUploadResult("linux-tar"),
-			createFailedUploadResult("windows-zip"),
-		}, nil
+	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, version string) (string, error) {
+		return "", fmt.Errorf("artifact upload failed for linux-tar: upload error")
 	}
 	defer func() { ociHandleUploadsFunc = originalOCIHandler }()
 
@@ -756,17 +752,15 @@ func TestRunAgentFlow_SigningSkipped_AllUploadsFailed(t *testing.T) {
 	mockClient := &mockMetadataClient{}
 	err = runAgentFlow(ctx, mockClient, workspace, "java", "1.2.3")
 
-	// Verify success (signing is skipped but flow continues)
-	require.NoError(t, err)
+	// Verify error (fail-fast behavior)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "binary upload failed")
 
 	outputStr := getStdout()
 
 	// Verify NO signing requests were made
 	assert.Equal(t, 0, requestCount, "Should have made 0 signing requests")
-
-	// Verify warning was logged
-	assert.Contains(t, outputStr, "OCI registry is enabled but no artifacts were successfully uploaded")
-	assert.NotContains(t, outputStr, "Starting artifact signing")
+	assert.NotContains(t, outputStr, "Starting manifest index signing")
 }
 
 func TestRunAgentFlow_SigningError_ServiceFailure(t *testing.T) {
@@ -777,12 +771,10 @@ func TestRunAgentFlow_SigningError_ServiceFailure(t *testing.T) {
 	}
 	defer func() { createMetadataClientFunc = originalCreateClient }()
 
-	// Mock OCI handler to return 1 successful upload
+	// Mock OCI handler to return index digest
 	originalOCIHandler := ociHandleUploadsFunc
-	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, agentType, version string) ([]models.ArtifactUploadResult, error) {
-		return []models.ArtifactUploadResult{
-			createSuccessfulUploadResult("linux-tar", "sha256:abc123", "v1.2.3-linux-amd64"),
-		}, nil
+	ociHandleUploadsFunc = func(ctx context.Context, cfg *models.OCIConfig, workspace, version string) (string, error) {
+		return "sha256:index123", nil
 	}
 	defer func() { ociHandleUploadsFunc = originalOCIHandler }()
 
@@ -825,5 +817,5 @@ func TestRunAgentFlow_SigningError_ServiceFailure(t *testing.T) {
 	assert.Equal(t, 3, requestCount, "Should have made 3 signing requests (retries)")
 	assert.Contains(t, outputStr, "Signing attempt 1 failed")
 	assert.Contains(t, outputStr, "Signing attempt 2 failed")
-	assert.Contains(t, outputStr, "Failed to sign artifact linux-tar after 3 attempts")
+	assert.Contains(t, outputStr, "Failed to sign manifest index after 3 attempts")
 }
@@ -63,11 +63,11 @@ func (a *ArtifactDefinition) Validate() error {
 }
 
 func (a *ArtifactDefinition) GetMediaType() string {
-	return fmt.Sprintf("application/vnd.newrelic.agent.v1+%s", a.Format)
+	return fmt.Sprintf("application/vnd.newrelic.agent.content.v1.%s", a.Format)
 }
 
 func (a *ArtifactDefinition) GetArtifactType() string {
-	return fmt.Sprintf("application/vnd.newrelic.agent.v1+%s", a.Format)
+	return "application/vnd.newrelic.agent.v1"
 }
 
 func (a *ArtifactDefinition) GetPlatformString() string {
 
@@ -190,9 +190,9 @@ func TestArtifactDefinition_GetMediaType(t *testing.T) {
 		format   string
 		expected string
 	}{
-		{"tar", "application/vnd.newrelic.agent.v1+tar"},
-		{"tar+gzip", "application/vnd.newrelic.agent.v1+tar+gzip"},
-		{"zip", "application/vnd.newrelic.agent.v1+zip"},
+		{"tar", "application/vnd.newrelic.agent.content.v1.tar"},
+		{"tar+gzip", "application/vnd.newrelic.agent.content.v1.tar+gzip"},
+		{"zip", "application/vnd.newrelic.agent.content.v1.zip"},
 	}
 
 	for _, tt := range tests {
@@ -205,7 +205,7 @@ func TestArtifactDefinition_GetMediaType(t *testing.T) {
 
 func TestArtifactDefinition_GetArtifactType(t *testing.T) {
 	artifact := ArtifactDefinition{Format: "tar+gzip"}
-	assert.Equal(t, "application/vnd.newrelic.agent.v1+tar+gzip", artifact.GetArtifactType())
+	assert.Equal(t, "application/vnd.newrelic.agent.v1", artifact.GetArtifactType())
 }
 
 func TestArtifactDefinition_GetPlatformString(t *testing.T) {
 
@@ -55,71 +55,82 @@ func NewClient(ctx context.Context, registry, username, password string) (*Clien
 	}, nil
 }
 
-func (c *Client) UploadArtifact(ctx context.Context, artifact *models.ArtifactDefinition, artifactPath, agentType, version string) (string, int64, string, error) {
+func (c *Client) UploadArtifact(ctx context.Context, artifact *models.ArtifactDefinition, artifactPath, version string) (string, int64, error) {
 	tempDir, err := os.MkdirTemp("", "oras-upload-*")
 	if err != nil {
-		return "", 0, "", fmt.Errorf("failed to create temp directory: %w", err)
+		return "", 0, fmt.Errorf("failed to create temp directory: %w", err)
 	}
 	defer os.RemoveAll(tempDir)
 
 	fs, err := file.New(tempDir)
 	if err != nil {
-		return "", 0, "", fmt.Errorf("failed to create file store: %w", err)
+		return "", 0, fmt.Errorf("failed to create file store: %w", err)
 	}
 	defer fs.Close()
 
 	layerAnnotations := CreateLayerAnnotations(artifact, version)
 
 	layerDesc, err := fs.Add(ctx, artifact.Name, artifact.GetMediaType(), artifactPath)
 	if err != nil {
-		return "", 0, "", fmt.Errorf("failed to add file to store: %w", err)
+		return "", 0, fmt.Errorf("failed to add file to store: %w", err)
 	}
 
 	layerDesc.Annotations = layerAnnotations
 
 	manifestAnnotations := CreateManifestAnnotations()
 
-	emptyConfig := []byte("{}")
-	emptyConfigDesc := ocispec.Descriptor{
-		MediaType: "application/vnd.oci.empty.v1+json",
-		Digest:    digest.FromBytes(emptyConfig),
-		Size:      int64(len(emptyConfig)),
+	// Create config with platform information for multi-arch support
+	config := map[string]string{
+		"architecture": artifact.Arch,
+		"os":           artifact.OS,
+	}
+	configBytes, err := json.Marshal(config)
+	if err != nil {
+		return "", 0, fmt.Errorf("failed to marshal config: %w", err)
+	}
+
+	configDesc := ocispec.Descriptor{
+		MediaType: "application/vnd.newrelic.agent.config.v1+json",
+		Digest:    digest.FromBytes(configBytes),
+		Size:      int64(len(configBytes)),
 	}
 
-	if err = fs.Push(ctx, emptyConfigDesc, bytes.NewReader(emptyConfig)); err != nil {
-		return "", 0, "", fmt.Errorf("failed to push empty config: %w", err)
+	if err = fs.Push(ctx, configDesc, bytes.NewReader(configBytes)); err != nil {
+		return "", 0, fmt.Errorf("failed to push config: %w", err)
 	}
 
 	artifactType := artifact.GetArtifactType()
 	packOpts := oras.PackManifestOptions{
-		ConfigDescriptor:    &emptyConfigDesc,
+		ConfigDescriptor:    &configDesc,
 		Layers:              []ocispec.Descriptor{layerDesc},
 		ManifestAnnotations: manifestAnnotations,
 	}
 
 	manifestDesc, err := oras.PackManifest(ctx, fs, oras.PackManifestVersion1_1, artifactType, packOpts)
 	if err != nil {
-		return "", 0, "", fmt.Errorf("failed to pack manifest: %w", err)
+		return "", 0, fmt.Errorf("failed to pack manifest: %w", err)
 	}
 
-	artifactTag := fmt.Sprintf("%s-%s-%s", version, artifact.OS, artifact.Arch)
-
-	// Tag in file store so we can reference it during copy
-	if err = fs.Tag(ctx, manifestDesc, artifactTag); err != nil {
-		return "", 0, "", fmt.Errorf("failed to tag manifest: %w", err)
+	// Tag manifest in file store with a temporary tag so it can be referenced during copy
+	tempTag := "temp-manifest"
+	if err = fs.Tag(ctx, manifestDesc, tempTag); err != nil {
+		return "", 0, fmt.Errorf("failed to tag manifest in file store: %w", err)
 	}
 
-	copyCtx, cancel := context.WithTimeout(ctx, 5*time.Minute)
+	pushCtx, cancel := context.WithTimeout(ctx, 5*time.Minute)
 	defer cancel()
 
+	logging.Debugf(ctx, "Pushing artifact %s to registry by digest (digest: %s)", artifact.Name, manifestDesc.Digest.String())
+
+	// Copy manifest and blobs to remote registry by digest
 	copyOpts := oras.CopyOptions{}
-	logging.Debugf(ctx, "Copying artifact %s to registry with tag %s (digest: %s)", artifact.Name, artifactTag, manifestDesc.Digest.String())
-	if _, err = oras.Copy(copyCtx, fs, artifactTag, c.repo, artifactTag, copyOpts); err != nil {
-		return "", 0, "", fmt.Errorf("failed to copy artifact to registry: %w", err)
+	digestRef := manifestDesc.Digest.String()
+	if _, err = oras.Copy(pushCtx, fs, tempTag, c.repo, digestRef, copyOpts); err != nil {
+		return "", 0, fmt.Errorf("failed to push artifact to registry: %w", err)
 	}
 
-	logging.Debugf(ctx, "Successfully uploaded artifact with tag %s", artifactTag)
-	return manifestDesc.Digest.String(), manifestDesc.Size, artifactTag, nil
+	logging.Debugf(ctx, "Successfully uploaded artifact by digest: %s", manifestDesc.Digest.String())
+	return manifestDesc.Digest.String(), manifestDesc.Size, nil
 }
 
 func (c *Client) CreateManifestIndex(ctx context.Context, uploadResults []models.ArtifactUploadResult, version string) (string, error) {
@@ -141,14 +152,12 @@ func (c *Client) CreateManifestIndex(ctx context.Context, uploadResults []models
 			Architecture: result.Arch,
 		}
 
-		artifactType := fmt.Sprintf("application/vnd.newrelic.agent.v1+%s", result.Format)
-
 		manifest := ocispec.Descriptor{
 			MediaType:    ocispec.MediaTypeImageManifest,
 			Digest:       digest,
 			Size:         result.Size,
 			Platform:     platform,
-			ArtifactType: artifactType,
+			ArtifactType: "application/vnd.newrelic.agent.v1",
 		}
 
 		manifests = append(manifests, manifest)
Original file line number	Diff line number	Diff line change
`@@ -63,11 +63,11 @@ func (a *ArtifactDefinition) Validate() error {`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`func (a *ArtifactDefinition) GetMediaType() string {`
`66`		`- return fmt.Sprintf("application/vnd.newrelic.agent.v1+%s", a.Format)`
	`66`	`+ return fmt.Sprintf("application/vnd.newrelic.agent.content.v1.%s", a.Format)`
`67`	`67`	`}`
`68`	`68`
`69`	`69`	`func (a *ArtifactDefinition) GetArtifactType() string {`
`70`		`- return fmt.Sprintf("application/vnd.newrelic.agent.v1+%s", a.Format)`
	`70`	`+ return "application/vnd.newrelic.agent.v1"`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`func (a *ArtifactDefinition) GetPlatformString() string {`