Fix test expectations for cosign legacy tags on ghcr.io

Copilot · neilime · neilime · commit 9ac94e63e363 · 2025-10-27T16:13:26.000+01:00
Co-authored-by: neilime &lt;314088+neilime@users.noreply.github.com&gt;
diff --git a/.github/workflows/__test-workflow-docker-build-images.yml b/.github/workflows/__test-workflow-docker-build-images.yml
@@ -153,14 +153,19 @@ jobs:
             const taggedVersions = versions.filter(version => version.metadata.container.tags.length > 0);
             const untaggedVersions = versions.filter(version => version.metadata.container.tags.length === 0);
 
-            // Expected tagged version is always 1 (the main tag)
-            const expectedTaggedVersions = 1;
+            const platforms = JSON.parse(process.env.PLATFORMS);
+            const isSinglePlatform = platforms.length === 1;
+            const isSigned = process.env.SIGN === 'true';
+
+            // Expected tagged versions:
+            // - Always 1 for the main tag
+            // - Plus 1 for cosign legacy tag (sha256-...) when signed
+            //   Note: ghcr.io doesn't support OCI 1.1 referrers yet, so cosign falls back to legacy attachments
+            const expectedTaggedVersions = isSigned ? 2 : 1;
 
             // Expected untagged versions:
             // - For single platform: 0 (no multiarch manifest created)
             // - For multi platform: number of platforms (one per platform)
-            const platforms = JSON.parse(process.env.PLATFORMS);
-            const isSinglePlatform = platforms.length === 1;
             const expectedUntaggedVersions = isSinglePlatform ? 0 : platforms.length;
 
             assert.equal(
diff --git a/actions/docker/sign-images/action.yml b/actions/docker/sign-images/action.yml
@@ -91,6 +91,8 @@ runs:
           const annotationsArgs = tags.size > 0 ? `-a tag=${Array.from(tags).at(-1)}` : "";
           const imagesArgs = Array.from(imagesToSign).join(" ");
           // Use OCI 1.1 referrers mode to avoid creating legacy sha256-... tags
+          // Note: If the registry doesn't support OCI 1.1 referrers (like ghcr.io currently),
+          // cosign will fall back to legacy attachments and create a sha256-... tag
           const signImageCommand = `cosign sign ${annotationsArgs} --registry-referrers-mode=oci-1-1 --yes ${imagesArgs}`;
 
           core.debug(`Signing images with command: "${signImageCommand}"`);
