drop platform/digest pull resolution

The digest-pull logic was added to make `docker push` work for multi-arch upstream tags. Now that the push step is `docker buildx imagetools create` pinned to the gpg-verified RepoDigest, the registry-to-registry copy handles single- and multi-arch sources without help. Reverts the pull back to the original line and removes the unused PLATFORM_OS/_ARCH detection.
push images via buildx imagetools create
2026-05-09 21:02:36 +02:00 · 2026-04-28 14:54:25 -04:00 · 2026-04-28 14:49:02 -04:00 · 2026-04-28 14:27:59 -04:00
1 changed files with 18 additions and 5 deletions
@@ -192,8 +192,21 @@ update_docker_containers() {
          echo "Unable to tag $image" >> "$LOG_FILE" 2>&1
          exit 1
        }
-        docker push $HOSTNAME:5000/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 || {
+        # Push to the embedded registry via a registry-to-registry copy. Avoids
-          echo "Unable to push $image" >> "$LOG_FILE" 2>&1 
+        # `docker push`, which on Docker 29.x with the containerd image store
        # represents freshly-pulled images as an index whose layer content
        # isn't reachable through the push path. The local `docker tag` above
        # is preserved so so-image-pull's `:5000` existence check still works.
        # Pin to the digest already gpg-verified above so we copy exactly the
        # bytes we approved.
        local VERIFIED_REF
        VERIFIED_REF=$(echo "$DOCKERINSPECT" | jq -r ".[0].RepoDigests[] | select(. | contains(\"$CONTAINER_REGISTRY\"))" | head -n 1)
        if [ -z "$VERIFIED_REF" ] || [ "$VERIFIED_REF" = "null" ]; then
          echo "Unable to determine verified digest for $image" >> "$LOG_FILE" 2>&1
          exit 1
        fi
        docker buildx imagetools create --tag $HOSTNAME:5000/$IMAGEREPO/$image "$VERIFIED_REF" >> "$LOG_FILE" 2>&1 || {
          echo "Unable to copy $image to embedded registry" >> "$LOG_FILE" 2>&1
          exit 1
        }
      fi