feat: add ability to find the latest docker image SHA (#2539)

Towards #2342

Fixes #2545

---------

Signed-off-by: Jeff Ching <[email protected]>
Co-authored-by: Cody Oss <[email protected]>

Author: chingor13

go.mod

@@ -3,6 +3,7 @@ module github.com/googleapis/librarian
 go 1.25.0
 
 require (
+	cloud.google.com/go/artifactregistry v1.17.2
 	cloud.google.com/go/cloudbuild v1.23.0
 	cloud.google.com/go/iam v1.5.2
 	cloud.google.com/go/longrunning v0.6.7

go.sum

@@ -1,5 +1,7 @@
 cloud.google.com/go v0.122.0 h1:0JTLGrcSIs3HIGsgVPvTx3cfyFSP/k9CI8vLPHTd6Wc=
 cloud.google.com/go v0.122.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
+cloud.google.com/go/artifactregistry v1.17.2 h1:Gx5vsnIFEx+obM1VdtMF2AuTraYESRCrBxvc9+6jBZg=
+cloud.google.com/go/artifactregistry v1.17.2/go.mod h1:h4CIl9TJZskg9c9u1gC9vTsOTo1PrAnnxntprqS3AjM=
 cloud.google.com/go/auth v0.16.5 h1:mFWNQ2FEVWAliEQWpAdH80omXFokmrnbDhUS9cBywsI=
 cloud.google.com/go/auth v0.16.5/go.mod h1:utzRfHMP+Vv0mpOkTRQoWD2q3BatTOoWbA7gCc2dUhQ=
 cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=

internal/images/images.go

@@ -0,0 +1,167 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package images provides operations around docker images.
+package images
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"strings"
+
+	artifactregistry "cloud.google.com/go/artifactregistry/apiv1"
+	artifactregistrypb "cloud.google.com/go/artifactregistry/apiv1/artifactregistrypb"
+)
+
+// ArtifactRegistryClient is the implementation of ImageRegistryClient
+// to interact with Artifact Registry.
+type ArtifactRegistryClient struct {
+	client *artifactregistry.Client
+}
+
+// containerImage is a data structure for parsing Docker image parameters.
+type containerImage struct {
+	// Name is the short name of the docker image.
+	Name string
+	// Tag is the named tag of the docker image.
+	Tag string
+	// SHA is the SHA256 (e.g. `sha256:abcd1234`).
+	SHA string
+	// Location is the Artifact Registry location (e.g. `us-central1`).
+	Location string
+	// Project is the name of the GCP project that holds the AR repository.
+	Project string
+	// Repository is the name of the AR repository.
+	Repository string
+}
+
+// BaseName returns the image name without a pinned SHA or tag.
+func (i *containerImage) BaseName() string {
+	return fmt.Sprintf("%s-docker.pkg.dev/%s/%s/%s", i.Location, i.Project, i.Repository, i.Name)
+}
+
+// String returns the image name with pinned SHA or tag.
+func (i *containerImage) String() string {
+	var b strings.Builder
+	b.WriteString(i.BaseName())
+	if i.SHA != "" {
+		b.WriteString("@")
+		b.WriteString(i.SHA)
+	} else if i.Tag != "" {
+		b.WriteString(":")
+		b.WriteString(i.Tag)
+	}
+	return b.String()
+}
+
+// NewArtifactRegistryClient creates a new ArtifactRegistryClient.
+func NewArtifactRegistryClient(ctx context.Context) (*ArtifactRegistryClient, error) {
+	client, err := artifactregistry.NewClient(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &ArtifactRegistryClient{
+		client: client,
+	}, nil
+}
+
+// Close cleans up any open resources.
+func (c *ArtifactRegistryClient) Close() error {
+	return c.client.Close()
+}
+
+// FindLatest returns the latest docker image given a current image.
+func (c *ArtifactRegistryClient) FindLatest(ctx context.Context, imageName string) (string, error) {
+	image, err := parseImage(imageName)
+	if err != nil {
+		return "", err
+	}
+
+	if c.client == nil {
+		return "", fmt.Errorf("no client configured")
+	}
+
+	it := c.client.ListVersions(ctx, &artifactregistrypb.ListVersionsRequest{
+		Parent:  fmt.Sprintf("projects/%s/locations/%s/repositories/%s/packages/%s", image.Project, image.Location, image.Repository, image.Name),
+		View:    artifactregistrypb.VersionView_FULL,
+		OrderBy: "create_time DESC",
+	})
+	version, err := it.Next()
+	if err != nil {
+		return "", err
+	}
+	slog.Info("Found packages version", "version", version.GetName())
+
+	// latest SHA is found as the "subjectDigest" metadata field
+	latestSha := ""
+	for key, field := range version.GetMetadata().GetFields() {
+		if key == "subjectDigest" {
+			slog.Info("Found SHA", "sha", field.GetStringValue())
+			latestSha = field.GetStringValue()
+			break
+		}
+	}
+
+	if latestSha == "" {
+		return "", fmt.Errorf("failed to find updated SHA for latest version: %s", version.GetName())
+	}
+
+	newImage := &containerImage{
+		Name:       image.Name,
+		Location:   image.Location,
+		Repository: image.Repository,
+		Project:    image.Project,
+		SHA:        latestSha,
+	}
+	return newImage.String(), nil
+}
+
+func parseImage(pinnedImage string) (*containerImage, error) {
+	parsedImage := &containerImage{}
+	baseName := ""
+
+	atParts := strings.Split(pinnedImage, "@")
+	colonParts := strings.Split(pinnedImage, ":")
+	if len(atParts) == 2 {
+		baseName = atParts[0]
+		parsedImage.SHA = atParts[1]
+	} else if len(colonParts) == 2 {
+		baseName = colonParts[0]
+		parsedImage.Tag = colonParts[1]
+	}
+
+	if baseName == "" {
+		slog.Info("image does not appear to be pinned")
+		baseName = pinnedImage
+	}
+
+	parts := strings.Split(baseName, "/")
+	if len(parts) < 4 {
+		return nil, fmt.Errorf("unexpected image format %q, expected an AR formatted image", baseName)
+	}
+
+	host := parts[0]
+	if strings.HasSuffix(host, "-docker.pkg.dev") {
+		parsedImage.Location = strings.TrimSuffix(host, "-docker.pkg.dev")
+	} else {
+		return nil, fmt.Errorf("unexpected host format %q, expected AR formatted host with -docker.pkg.dev suffix", host)
+	}
+
+	parsedImage.Project = parts[1]
+	parsedImage.Repository = parts[2]
+	parsedImage.Name = parts[3]
+
+	return parsedImage, nil
+}

internal/images/images_test.go

@@ -0,0 +1,80 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package images provides operations around docker images.
+package images
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestParseImage(t *testing.T) {
+	for _, test := range []struct {
+		name    string
+		image   string
+		want    *containerImage
+		wantErr bool
+	}{
+		{
+			name:  "AR unpinned",
+			image: "us-central1-docker.pkg.dev/some-project/some-repo/some-image",
+			want: &containerImage{
+				Name:       "some-image",
+				Location:   "us-central1",
+				Project:    "some-project",
+				Repository: "some-repo",
+			},
+		},
+		{
+			name:  "AR pinned SHA",
+			image: "us-central1-docker.pkg.dev/some-project/some-repo/some-image@sha256:abcdef",
+			want: &containerImage{
+				Name:       "some-image",
+				Location:   "us-central1",
+				Project:    "some-project",
+				Repository: "some-repo",
+				SHA:        "sha256:abcdef",
+			},
+		},
+		{
+			name:  "AR tagged",
+			image: "us-central1-docker.pkg.dev/some-project/some-repo/some-image:1.2.3",
+			want: &containerImage{
+				Name:       "some-image",
+				Location:   "us-central1",
+				Project:    "some-project",
+				Repository: "some-repo",
+				Tag:        "1.2.3",
+			},
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := parseImage(test.image)
+			if (err != nil) != test.wantErr {
+				t.Errorf("parseImage() error = %v, wantErr %v", err, test.wantErr)
+				return
+			}
+			if diff := cmp.Diff(test.want, got); diff != "" {
+				t.Errorf("parseImage() mismatch (-want +got):\n%s", diff)
+			}
+			str := got.String()
+			if diff := cmp.Diff(str, test.image); diff != "" {
+				t.Errorf("image.String() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

system_test.go

@@ -28,9 +28,11 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/googleapis/librarian/internal/github"
 	"github.com/googleapis/librarian/internal/gitrepo"
+	"github.com/googleapis/librarian/internal/images"
 )
 
 var testToken = os.Getenv("TEST_GITHUB_TOKEN")
+var githubAction = os.Getenv("GITHUB_ACTION")
 
 func TestGetRawContentSystem(t *testing.T) {
 	if testToken == "" {
@@ -440,6 +442,69 @@ func TestCreateRelease(t *testing.T) {
 	}
 }
 
+func TestFindLatestImage(t *testing.T) {
+	// If we are able to configure system tests on GitHub actions, then update this
+	// guard clause.
+	if githubAction != "" {
+		t.Skip("skipping on GitHub actions")
+	}
+	for _, test := range []struct {
+		name     string
+		image    string
+		wantDiff bool
+		wantErr  bool
+	}{
+		{
+			name:     "AR unpinned",
+			image:    "us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/librarian-go@sha256:dea280223eca5a0041fb5310635cec9daba2f01617dbfb1e47b90c77368b5620",
+			wantDiff: true,
+		},
+		{
+			name:     "AR pinned",
+			image:    "us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/librarian-go@sha256:dea280223eca5a0041fb5310635cec9daba2f01617dbfb1e47b90c77368b5620",
+			wantDiff: true,
+		},
+		{
+			name:    "invalid image",
+			image:   "gcr.io/some-project/some-name",
+			wantErr: true,
+		},
+	} {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			client, err := images.NewArtifactRegistryClient(t.Context())
+			if err != nil {
+				t.Fatalf("unexpected error in NewArtifactRegistryClient() %v", err)
+			}
+			defer client.Close()
+			got, err := client.FindLatest(t.Context(), test.image)
+			if test.wantErr {
+				if err == nil {
+					t.Errorf("FindLatestImage() error = %v, wantErr %v", err, test.wantErr)
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("FindLatestImage() error = %v", err)
+			}
+
+			if !strings.HasPrefix(got, "us-central1-docker.pkg.dev/cloud-sdk-librarian-prod/images-prod/librarian-go@sha256:") {
+				t.Fatalf("FindLatestImage() unexpected image format")
+			}
+			if test.wantDiff {
+				if got == test.image {
+					t.Fatalf("FindLatestImage() expected to change")
+				}
+			} else {
+				if got != test.image {
+					t.Fatalf("FindLatestImage() expected to stay the same")
+				}
+			}
+		})
+	}
+}
+
 func TestGitCheckout(t *testing.T) {
 	t.Parallel()
 	for _, test := range []struct {