source-push: add support for --digestfile

Allow writing digest of the pushed source to the specified `digestfile`

Closes: https://github.com/containers/buildah/issues/5399

Signed-off-by: flouthoc <flouthoc.git@gmail.com>

cmd/buildah/source.go

@@ -122,6 +122,7 @@ func init() {
 	sourceCommand.AddCommand(sourcePushCommand)
 	sourcePushFlags := sourcePushCommand.Flags()
 	sourcePushFlags.StringVar(&sourcePushOptions.Credentials, "creds", "", "use `[username[:password]]` for accessing the registry")
+	sourcePushFlags.StringVar(&sourcePushOptions.DigestFile, "digestfile", "", "after copying the artifact, write the digest of the resulting image to the file")
 	sourcePushFlags.BoolVar(&sourcePushOptions.TLSVerify, "tls-verify", true, "require HTTPS and verify certificates when accessing the registry")
 	sourcePushFlags.BoolVarP(&sourcePushOptions.Quiet, "quiet", "q", false, "don't output push progress information")
 }

docs/buildah-source-push.1.md

@@ -20,6 +20,10 @@ The [username[:password]] to use to authenticate with the registry if required.
 If one or both values are not supplied, a command line prompt will appear and the
 value can be entered.  The password is entered without echo.
 
+**--digestfile** *digestfile*
+
+After copying the image, write the digest of the resulting image to the file.
+
 **--quiet**, **-q**
 
 Suppress the progress output when pushing a source image.

internal/source/push.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/containers/buildah/pkg/parse"
 	"github.com/containers/image/v5/copy"
+	"github.com/containers/image/v5/manifest"
 	"github.com/containers/image/v5/oci/layout"
 	"github.com/containers/image/v5/signature"
 	"github.com/containers/image/v5/types"
@@ -21,6 +22,8 @@ type PushOptions struct {
 	Credentials string
 	// Quiet the progress bars when pushing.
 	Quiet bool
+	// If set after copying the artifact, write the digest of the resulting image to the file
+	DigestFile string
 }
 
 // Push the source image at `sourcePath` to `imageInput` at a container
@@ -61,9 +64,20 @@ func Push(ctx context.Context, sourcePath string, imageInput string, options Pus
 	if !options.Quiet {
 		copyOpts.ReportWriter = os.Stderr
 	}
-	if _, err := copy.Image(ctx, policyContext, destRef, srcRef, copyOpts); err != nil {
+	manifestBytes, err := copy.Image(ctx, policyContext, destRef, srcRef, copyOpts)
+	if err != nil {
 		return fmt.Errorf("pushing source image: %w", err)
 	}
 
+	if options.DigestFile != "" {
+		manifestDigest, err := manifest.Digest(manifestBytes)
+		if err != nil {
+			return fmt.Errorf("computing digest of manifest of source: %w", err)
+		}
+		if err = os.WriteFile(options.DigestFile, []byte(manifestDigest.String()), 0644); err != nil {
+			return fmt.Errorf("failed to write digest to file %q: %w", options.DigestFile, err)
+		}
+	}
+
 	return nil
 }

tests/source.bats

@@ -134,9 +134,11 @@ load helpers
   run_buildah source push --quiet --tls-verify=false --creds testuser:testpassword $srcdir localhost:${REGISTRY_PORT}/source:test
   expect_output ""
   # --quiet=false (implicit)
-  run_buildah source push --tls-verify=false --creds testuser:testpassword $srcdir localhost:${REGISTRY_PORT}/source:test
+  run_buildah source push --digestfile=${TEST_SCRATCH_DIR}/digest.txt --tls-verify=false --creds testuser:testpassword $srcdir localhost:${REGISTRY_PORT}/source:test
   expect_output --substring "Copying blob"
   expect_output --substring "Copying config"
+  cat ${TEST_SCRATCH_DIR}/digest.txt
+  test -s ${TEST_SCRATCH_DIR}/digest.txt
 
   pulldir=${TEST_SCRATCH_DIR}/pulledsource
   # --quiet=true