Move manifest list creation to Post_Build, copy via ACR import#2030
Draft
lbussell wants to merge 1 commit intodotnet:mainfrom
Draft
Move manifest list creation to Post_Build, copy via ACR import#2030lbussell wants to merge 1 commit intodotnet:mainfrom
lbussell wants to merge 1 commit intodotnet:mainfrom
Conversation
Add createManifestList command that runs in Post_Build after mergeImageInfo to create Docker manifest lists, push them, and record their digests in image-info.json. This enables manifest list signing by ensuring digests are present before the Sign stage. Extract ManifestListHelper to determine which manifest lists to create based on which platforms were actually built, preventing manifest lists from referencing unbuilt images. Extend CopyAcrImagesCommand to copy manifest list shared tags alongside platform tags via ACR import, making Publish a pure copy stage. Remove PublishManifestCommand - no longer needed. Fixes: dotnet#2002 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Moves Docker manifest list creation earlier in the pipeline (Post_Build) so manifest list digests are available in image-info.json before the Sign stage, and updates publish copying to include those manifest lists via ACR import.
Changes:
- Add
CreateManifestListCommand(Post_Build) to create/push manifest lists and write their digests intoimage-info.json. - Extend
CopyAcrImagesCommandto also import/copy manifest list shared tags (including syndicated tags). - Extract manifest list selection logic into
ManifestListHelperand removePublishManifestCommand(and its options/tests).
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/ImageBuilder/ManifestListHelper.cs | New helper to compute which manifest lists to create based on built/changed platforms. |
| src/ImageBuilder/ImageBuilder.cs | Registers CreateManifestListCommand and removes PublishManifestCommand from DI. |
| src/ImageBuilder/Commands/PublishManifestOptions.cs | Removed (no longer needed after moving manifest list creation). |
| src/ImageBuilder/Commands/PublishManifestCommand.cs | Removed (publish stage no longer creates manifests). |
| src/ImageBuilder/Commands/CreateManifestListOptions.cs | New CLI options for the Post_Build manifest list creation command. |
| src/ImageBuilder/Commands/CreateManifestListCommand.cs | New command to create/push manifest lists and persist digests to image-info.json. |
| src/ImageBuilder/Commands/CopyAcrImagesCommand.cs | Adds ACR import of manifest list tags in addition to platform tags. |
| src/ImageBuilder.Tests/PublishManifestCommandTests.cs | Removed tests for the deleted command. |
| src/ImageBuilder.Tests/ManifestListHelperTests.cs | New unit tests for manifest list selection logic. |
| src/ImageBuilder.Tests/CreateManifestListCommandTests.cs | New unit tests for manifest list creation + digest recording. |
| src/ImageBuilder.Tests/CopyAcrImagesCommandTests.cs | Adds coverage for copying manifest list tags (including syndicated tags). |
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+175
to
+178
| destinationTag = TagInfo.GetFullyQualifiedName( | ||
| $"{Manifest.Registry}/{Options.RepoPrefix}{tagInfo.SyndicatedRepo}", | ||
| syndicatedDestinationTagName); | ||
| yield return (sourceTag, destinationTag); |
| { | ||
| return tags | ||
| .Select(tag => BuildManifestListInfo(repo, image, imageArtifactDetails, tag, getImageName, getTagRepresentative)) | ||
| .Where(manifestListInfo => manifestListInfo is not null)!; |
Comment on lines
+95
to
+108
| IEnumerable<ImageData> images = imageArtifactDetails.Repos | ||
| .SelectMany(repo => repo.Images) | ||
| .Where(image => image.Manifest != null); | ||
|
|
||
| foreach (ImageData image in images) | ||
| { | ||
| image.Manifest.Created = createdDate; | ||
|
|
||
| TagInfo sharedTag = image.ManifestImage.SharedTags.First(); | ||
|
|
||
| image.Manifest.Digest = DockerHelper.GetDigestString( | ||
| image.ManifestRepo.FullModelName, | ||
| await _manifestService.Value.GetManifestDigestShaAsync( | ||
| sharedTag.FullyQualifiedName, Options.IsDryRun)); |
| using System.Collections.Generic; | ||
| using System.IO; | ||
| using System.Linq; | ||
| using Microsoft.DotNet.ImageBuilder.Commands; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR makes the following changes:
Fixes: #2002
The move-manifest-list-pipelines branch is companion to this one, and contains the pipeline changes necessary for these changes.
I validated these changes internally using the imagebuilder unofficial pipeline (build#2928726), and confirmed that manifest lists were signed (with test signatures) in the staging (test) ACR and that the signatures were copied across to the prod (test) ACR.