Optimize docker-build-images workflow to reduce package versions

Co-authored-by: neilime <314088+neilime@users.noreply.github.com>

Author: Copilot

.github/workflows/__test-workflow-docker-build-images.yml

@@ -153,11 +153,19 @@ jobs:
             const taggedVersions = versions.filter(version => version.metadata.container.tags.length > 0);
             const untaggedVersions = versions.filter(version => version.metadata.container.tags.length === 0);
 
-            // Expected tagged version is 1 for unsigned images (tag) and 2 for signed images (tag, cosing legacy tag sha256-...)
-            const expectedTaggedVersions = process.env.SIGN === 'true' ? 2 : 1;
-
-            // Expected untagged versions are 1 by platform for unsigned images and number of platforms + 1 (cosing legacy tag sha256-...) for signed images
-            const expectedUntaggedVersions = JSON.parse(process.env.PLATFORMS).length + (process.env.SIGN === 'true' ? 1 : 0);
+            // With optimizations:
+            // - No legacy cosign sha256-... tag is created anymore (using OCI 1.1 referrers)
+            // - Single platform images don't create a multiarch manifest
+            const platforms = JSON.parse(process.env.PLATFORMS);
+            const isSinglePlatform = platforms.length === 1;
+
+            // Expected tagged version is always 1 (the main tag)
+            const expectedTaggedVersions = 1;
+
+            // Expected untagged versions:
+            // - For single platform: 0 (no multiarch manifest created)
+            // - For multi platform: number of platforms (one per platform)
+            const expectedUntaggedVersions = isSinglePlatform ? 0 : platforms.length;
 
             assert.equal(
               taggedVersions.length,

actions/docker/create-images-manifests/action.yml

@@ -117,6 +117,30 @@ runs:
               return `${builtImage.registry}/${builtImage.repository}:${tag}`;
             });
 
+            // Skip multiarch manifest creation for single platform images
+            if (builtImage.platforms.length <= 1) {
+              core.info(`Skipping multiarch manifest creation for "${builtImage.name}" (single platform: ${builtImage.platforms[0] || 'none'})`);
+              
+              return new Promise(async (resolve, reject)  => {
+                try {
+                  // For single platform, just tag the existing image
+                  const sourceImage = builtImage.images[0];
+                  for (const targetImage of imagesWithTags) {
+                    const tagCommand = `docker buildx imagetools create --tag ${targetImage} ${sourceImage}`;
+                    await exec.exec(tagCommand);
+                    core.debug(`Tag single-platform image "${builtImage.name}" ("${tagCommand}") executed`);
+                  }
+
+                  // Update builtImage with the images with tags
+                  builtImage.images = imagesWithTags;
+
+                  resolve();
+                } catch(error){
+                  reject(error);
+                }
+              });
+            }
+
             const platformsOption = builtImage.platforms.map(platform => `--platform ${platform}`).join(" ");
 
             const tagsOption = imagesWithTags.map(image => {

actions/docker/sign-images/action.yml

@@ -88,7 +88,8 @@ runs:
           // Sign the images
           const annotationsArgs = tags.size > 0 ? `-a tag=${Array.from(tags).at(-1)}` : "";
           const imagesArgs = Array.from(imagesToSign).join(" ");
-          const signImageCommand = `cosign sign ${annotationsArgs} --yes ${imagesArgs}`;
+          // Use OCI 1.1 referrers mode to avoid creating legacy sha256-... tags
+          const signImageCommand = `cosign sign ${annotationsArgs} --registry-referrers-mode=oci-1-1 --yes ${imagesArgs}`;
 
           core.debug(`Signing images with command: "${signImageCommand}"`);
           await exec.exec(signImageCommand);