Skip to content

Push stable tags as plain images instead of manifest lists#253

Merged
davdhacs merged 3 commits into
mainfrom
worktree-fix-stable-manifest
May 19, 2026
Merged

Push stable tags as plain images instead of manifest lists#253
davdhacs merged 3 commits into
mainfrom
worktree-fix-stable-manifest

Conversation

@davdhacs
Copy link
Copy Markdown
Contributor

@davdhacs davdhacs commented May 19, 2026
edited
Loading

Summary

  • The promote-stable workflow used docker buildx imagetools create to retag images as stable, which wraps the single-arch amd64 image in a manifest list
  • This prevents arm64 clients (e.g. Apple Silicon with emulation) from pulling the image — they get "no matching manifest for linux/arm64" instead of falling back to amd64
  • Use skopeo copy for a server-side retag that preserves the original plain image format without pulling locally
  • Also adds a configurable target input (defaults to "stable") for testing promotions without affecting real stable tags

Test

Ran the workflow on this branch with target: stable-test and verified on an arm64 host:

$ docker run --rm quay.io/stackrox-io/apollo-ci:stackrox-test-stable-test roxie version
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
roxie version v0.4.0 (2026-05-18T17:52:18Z)

Same digest as stackrox-test-latest (sha256:387346914505c40f2018b4c2194358320673c1a2ad0e511e368cae6a1b506f2f), pulls successfully with emulation instead of failing with "no matching manifest".

🤖 Generated with Claude Code

davdhacs and others added 3 commits May 19, 2026 09:45
@davdhacs @claude
Push stable tags as plain images instead of manifest lists
2fafd35 
The `docker buildx imagetools create` command wraps the single-arch
amd64 image in a manifest list, which prevents arm64 clients (e.g.
Apple Silicon) from pulling it even with emulation. Switch back to
docker pull/tag/push so stable tags behave the same as latest tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@davdhacs @claude
Use skopeo for server-side retag instead of docker pull/tag/push
567c533 
skopeo copy preserves the original manifest format (plain single-arch
image, no manifest list wrapping) and operates server-side without
pulling the image locally. skopeo is pre-installed on ubuntu-latest.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@davdhacs @claude
Add configurable target tag suffix to promote-stable workflow
da110d7 
Allows overriding the target tag (default: "stable") for testing
promotions without affecting the real stable tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026
edited
Loading

Build Images

Image Flavor Image Tag
jenkins-plugin quay.io/stackrox-io/apollo-ci:jenkins-plugin-0.5.12-3-gda110d7809
scanner-build quay.io/stackrox-io/apollo-ci:scanner-build-0.5.12-3-gda110d7809
scanner-test quay.io/stackrox-io/apollo-ci:scanner-test-0.5.12-3-gda110d7809
stackrox-build quay.io/stackrox-io/apollo-ci:stackrox-build-0.5.12-3-gda110d7809
stackrox-test quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.12-3-gda110d7809
stackrox-ui-test quay.io/stackrox-io/apollo-ci:stackrox-ui-test-0.5.12-3-gda110d7809

@davdhacs davdhacs merged commit cf50bab into main May 19, 2026
9 checks passed
@davdhacs davdhacs deleted the worktree-fix-stable-manifest branch May 19, 2026 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommartensen tommartensen tommartensen approved these changes

@mclasmeier mclasmeier Awaiting requested review from mclasmeier

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davdhacs @tommartensen