ggcr: descriptors in ImageIndex returned by referrers API do not fulfill requirements stated in OCI spec

[nmiyake]

Describe the bug

The OCI 1.1 specification for the "referrers" API states that, for the descriptors in the returned referrers index, The descriptors MUST include an artifactType field that is set to the value of the artifactType in the image manifest or index, if present and The descriptors MUST include annotations from the image manifest or index..

However, the current go-containerregistry library does not fulfill either of these requirements.

To Reproduce

For annotations:

1. Create a v1.Image with a non-empty annotations field and subject field and use remote.Write to write the image
2. Call remote.Referrers on the subject and examine the manifest entry
3. Current behavior is that the descriptor for the image from step 1 does not have an annotations field

For artifactType:

1. Create a v1.Image that specifies a value for the artifactType field (can be done by including this field in the output of the RawManifest() implementation of v1.Image) and subject field and use remote.Write to write the image
2. Call remote.Referrers on the subject and examine the manifest entry
3. Current behavior is that the artifactType field of the descriptor for the image from step 1 is set to the value of Config.MediaType

Expected behavior

For annotations:

• The descriptor for image should have an annotations field that matches the annotations field of the image

For artifactType:

• The descriptor for the image should have an artifactType value that matches the aritfactType field of the image

Additional context

Full text of the referrers specification:

Upon success, the response MUST be a JSON body with an image index containing a list of descriptors. The Content-Type header MUST be set to application/vnd.oci.image.index.v1+json. Each descriptor is of an image manifest or index in the same <name> namespace with a subject field that specifies the value of <digest>. The descriptors MUST include an artifactType field that is set to the value of the artifactType in the image manifest or index, if present. If the artifactType is empty or missing in the image manifest, the value of artifactType MUST be set to the config descriptor mediaType value. If the artifactType is empty or missing in an index, the artifactType MUST be omitted. The descriptors MUST include annotations from the image manifest or index. If a query results in no matching referrers, an empty manifest list MUST be returned.

GitHub has implemented an action that uses the referrers API to upload referrers using subjects, and it looks like their implementation properly does this (sets annotations and artifact types for referrer ImageIndex): actions/attest-build-provenance#73 (comment)

[nmiyake]

#1931 is an open PR that fixes the artifactType component of this issue

[nmiyake]

#1998 is a PR to fix the annotations component of this issue

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.