fix(ci): fix workflow build-push-images.yaml to get the digest for single-platform images

[chengfang]

Fixes #1543

I tested with my fork and personal quay https://quay.io/repository/cfang/argocd-image-updater?tab=tags

Summary by CodeRabbit

• Chores

  • Enhanced image build workflow with improved digest handling for multi-architecture and single-platform images, including validation safeguards to ensure digest accuracy.

• Documentation

  • Expanded workflow documentation clarifying digest resolution approaches and rationale.

[coderabbitai]

Walkthrough

Modified the build-push-images GitHub Actions workflow to improve digest extraction for multi-architecture images. The change introduces manifest list detection and switches from docker buildx imagetools inspect to docker manifest inspect with jq-based digest extraction, including validation for non-empty digests.

Changes

Cohort / File(s)	Summary
Build workflow digest handling .github/workflows/build-push-images.yaml	Added logic to detect and handle manifest lists by extracting digests for requested architectures. Replaced digest extraction method using docker manifest inspect --verbose and jq. Includes validation to ensure extracted digests are non-empty and non-null before outputting image@digest references.

Possibly related PRs

• chore: fix manifest invalid in build-push-images workflow #1497: Modifies the same workflow for manifest handling and digest-based reference switching, directly related to the control flow changes.
• chore: fix docker-build-and-push-images #1496: Alters digest extraction and platform reference resolution in the same build-push-images workflow.
• chore(ci): add github manual workflow build-push-images.yaml #1330: Updates multi-architecture image build and push logic with digest resolution modifications in the same workflow file.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: fixing the workflow to obtain image digests for single-platform images, which directly addresses the core objective.
Linked Issues check	✅ Passed	The changes implement digest extraction for single-platform images via docker manifest inspect and jq, directly fixing the workflow issue preventing parent image updates as required by #1543.
Out of Scope Changes check	✅ Passed	All changes are scoped to the build-push-images.yaml workflow file and focus solely on fixing the digest extraction mechanism for single-platform images, directly aligned with the stated objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

CodeRabbit can use OpenGrep to find security vulnerabilities and bugs across 17+ programming languages.

OpenGrep is compatible with Semgrep configurations. Add an opengrep.yml or semgrep.yml configuration file to your project to enable OpenGrep analysis.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/build-push-images.yaml (1)

106-109: Filter manifest-list selection by OS as well as architecture.

This branch currently matches only architecture. If the tag ever points to multiple OS variants for the same arch, it can select the wrong digest.

♻️ Proposed hardening

-              digest=$(echo "${inspect}" | jq -r --arg a "${arch}" '.manifests[] | select(.platform.architecture == $a) | .digest' | head -n1)
-              [ -n "${digest}" ] && echo "${IMAGE_NAME}@${digest}" || return 1
+              digest=$(echo "${inspect}" | jq -r --arg a "${arch}" '.manifests[] | select(.platform.architecture == $a and .platform.os == "linux") | .digest' | head -n1)
+              [ -n "${digest}" ] && [ "${digest}" != "null" ] && echo "${IMAGE_NAME}@${digest}" || return 1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-push-images.yaml around lines 106 - 109, The
manifest selection currently filters only by architecture using the jq
expression on variable inspect and arch and may pick the wrong digest when
multiple OS variants exist; update the jq filter to also match the OS (e.g., use
an additional variable like os and select(.platform.architecture == $a and
.platform.os == $o)), pass the desired OS value into jq (from a shell variable
such as OS or PLATFORM_OS), and then assign the result back into digest so the
script echoes IMAGE_NAME@digest only for the matching arch+os manifest.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/build-push-images.yaml:
- Around line 106-109: The manifest selection currently filters only by
architecture using the jq expression on variable inspect and arch and may pick
the wrong digest when multiple OS variants exist; update the jq filter to also
match the OS (e.g., use an additional variable like os and
select(.platform.architecture == $a and .platform.os == $o)), pass the desired
OS value into jq (from a shell variable such as OS or PLATFORM_OS), and then
assign the result back into digest so the script echoes IMAGE_NAME@digest only
for the matching arch+os manifest.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 207dec93-6c63-4eed-b008-61d2b8d65647

📥 Commits

Reviewing files that changed from the base of the PR and between 094bea6 and 995b958.

📒 Files selected for processing (1)

• .github/workflows/build-push-images.yaml

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.65%. Comparing base (c1674be) to head (995b958).
⚠️ Report is 63 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1546      +/-   ##
==========================================
+ Coverage   71.48%   73.65%   +2.17%     
==========================================
  Files          50       53       +3     
  Lines        4667     5129     +462     
==========================================
+ Hits         3336     3778     +442     
- Misses       1133     1145      +12     
- Partials      198      206       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.