1 files changed, 19 insertions, 10 deletions

diff --git a/releng/docker.xsh b/releng/docker.xsh
index 20fb30cd3..13bdd7868 100644
--- a/releng/docker.xsh
+++ b/releng/docker.xsh
@@ -19,6 +19,7 @@ def check_all_logins(env: RelengEnvironment):
         check_login(target)
 
 def check_login(target: DockerTarget):
+    log.info('Checking login for %s', target.registry_name)
     skopeo login @(target.registry_name())
 
 def upload_docker_images(target: DockerTarget, paths: list[Path]):
@@ -43,7 +44,23 @@ def upload_docker_images(target: DockerTarget, paths: list[Path]):
 
         for path in paths:
             digest_file = tmp / (path.name + '.digest')
-            inspection = json.loads($(skopeo inspect docker-archive:@(path)))
+            tmp_image = tmp / 'tmp-image.tar.gz'
+
+            # insecure-policy: we don't have any signature policy, we are just uploading an image
+            #
+            # Absurd: we copy it into an OCI image first so we can get the hash
+            # we need to upload it untagged, because skopeo has no "don't tag
+            # this" option.
+            # The reason for this is that forgejo's container registry throws
+            # away old versions of tags immediately, so we cannot use a temp
+            # tag, and it *does* reduce confusion to not upload tags that
+            # should not be used.
+            #
+            # Workaround for: https://github.com/containers/skopeo/issues/2354
+            log.info('skopeo copy to temp oci-archive %s', tmp_image)
+            skopeo --insecure-policy copy --format oci --all --digestfile @(digest_file) docker-archive:@(path) oci-archive:@(tmp_image)
+
+            inspection = json.loads($(skopeo inspect oci-archive:@(tmp_image)))
 
             docker_arch = inspection['Architecture']
             docker_os = inspection['Os']
@@ -51,21 +68,13 @@ def upload_docker_images(target: DockerTarget, paths: list[Path]):
 
             log.info('Pushing image %s for %s to %s', path, docker_arch, target.registry_path)
 
-            # insecure-policy: we don't have any signature policy, we are just uploading an image
-            # We upload to a junk tag, because otherwise it will upload to `latest`, which is undesirable
-            skopeo --insecure-policy copy --format oci --digestfile @(digest_file) docker-archive:@(path) docker://@(target.registry_path):temp
-
             digest = digest_file.read_text().strip()
+            skopeo --insecure-policy copy --preserve-digests --all oci-archive:@(tmp_image) f'docker://{target.registry_path}@{digest}'
 
             # skopeo doesn't give us the manifest size directly, so we just ask the registry
             metadata = reg.image_info(target.registry_path, digest)
 
             manifests.append(OCIIndexItem(metadata=metadata, architecture=docker_arch, os=docker_os))
-    # delete the temp tag, which we only have to create because of skopeo
-    # limitations anyhow (it seems to not have a way to say "don't tag it, find
-    # your checksum and put it there")
-    # FIXME: this is not possible because GitHub only has a proprietary API for it. amazing. 11/10.
-    # reg.delete_tag(target.registry_path, 'temp')
 
     log.info('Pushed images to %r, building a bigger and more menacing manifest from %r with metadata %r', target, manifests, meta)
     # send the multiarch manifest to each tag