imagetools: pass referrer filter opts to oci-layout path

tonistiigi · tonistiigi · commit 863398c78928 · 2026-03-12T23:15:01.000-07:00
FetchReferrers accepted FetchReferrersOpt but dropped them
when resolving OCI layout referrers. Forward the options and
apply ArtifactTypes filtering so callers can narrow results
consistently for both registry and local layout sources.

Signed-off-by: Tonis Tiigi &lt;tonistiigi@gmail.com&gt;
diff --git a/util/imagetools/inspect.go b/util/imagetools/inspect.go
@@ -172,7 +172,7 @@ func (r *Resolver) localStore(path string) (content.Store, error) {
 
 func (r *Resolver) FetchReferrers(ctx context.Context, loc *Location, dgst digest.Digest, opts ...remotes.FetchReferrersOpt) ([]ocispecs.Descriptor, error) {
 	if loc.IsOCILayout() {
-		return fetchOCILayoutReferrers(ctx, r.GetDescriptor, loc, dgst)
+		return fetchOCILayoutReferrers(ctx, r.GetDescriptor, loc, dgst, opts...)
 	}
 	f, err := r.registryResolver().Fetcher(ctx, loc.String())
 	if err != nil {
diff --git a/util/imagetools/inspect_test.go b/util/imagetools/inspect_test.go
@@ -0,0 +1,53 @@
+package imagetools
+
+import (
+	"context"
+	"testing"
+
+	"github.com/containerd/containerd/v2/core/images"
+	"github.com/containerd/containerd/v2/core/remotes"
+	"github.com/moby/buildkit/client/ociindex"
+	"github.com/opencontainers/go-digest"
+	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFetchReferrersOCILayoutArtifactTypeFilter(t *testing.T) {
+	t.Parallel()
+
+	dir := t.TempDir()
+	idx := ociindex.NewStoreIndex(dir)
+	subject := digest.FromString("subject")
+
+	attestation := ocispecs.Descriptor{
+		MediaType:    ocispecs.MediaTypeImageManifest,
+		ArtifactType: artifactTypeAttestationManifest,
+		Digest:       digest.FromString("attestation"),
+		Size:         123,
+		Annotations: map[string]string{
+			images.AnnotationManifestSubject: subject.String(),
+		},
+	}
+	require.NoError(t, idx.Put(attestation))
+
+	signature := ocispecs.Descriptor{
+		MediaType:    ocispecs.MediaTypeImageManifest,
+		ArtifactType: "application/vnd.dev.sigstore.bundle.v0.3+json",
+		Digest:       digest.FromString("signature"),
+		Size:         456,
+		Annotations: map[string]string{
+			images.AnnotationManifestSubject: subject.String(),
+		},
+	}
+	require.NoError(t, idx.Put(signature))
+
+	loc, err := ParseLocation("oci-layout://" + dir + ":latest")
+	require.NoError(t, err)
+
+	r := New(Opt{})
+	refs, err := r.FetchReferrers(context.Background(), loc, subject, remotes.WithReferrerArtifactTypes(artifactTypeAttestationManifest))
+	require.NoError(t, err)
+	require.Len(t, refs, 1)
+	require.Equal(t, attestation.Digest, refs[0].Digest)
+	require.Equal(t, attestation.ArtifactType, refs[0].ArtifactType)
+}
diff --git a/util/imagetools/ocilayout_referrers.go b/util/imagetools/ocilayout_referrers.go
@@ -3,9 +3,11 @@ package imagetools
 import (
 	"context"
 	"encoding/json"
+	"slices"
 	"sync"
 
 	"github.com/containerd/containerd/v2/core/images"
+	"github.com/containerd/containerd/v2/core/remotes"
 	"github.com/containerd/errdefs"
 	"github.com/moby/buildkit/client/ociindex"
 	"github.com/moby/buildkit/util/attestation"
@@ -54,7 +56,7 @@ func hasSubjectAnnotation(desc ocispecs.Descriptor) bool {
 // fetchOCILayoutReferrers resolves referrers for a subject from an OCI layout by
 // combining directly indexed subject entries with referrers reachable from the
 // regular named roots in index.json.
-func fetchOCILayoutReferrers(ctx context.Context, getDescriptor func(context.Context, *Location, ocispecs.Descriptor) ([]byte, error), loc *Location, subject digest.Digest) ([]ocispecs.Descriptor, error) {
+func fetchOCILayoutReferrers(ctx context.Context, getDescriptor func(context.Context, *Location, ocispecs.Descriptor) ([]byte, error), loc *Location, subject digest.Digest, opts ...remotes.FetchReferrersOpt) ([]ocispecs.Descriptor, error) {
 	idx, err := ociindex.NewStoreIndex(loc.OCILayout().Path).Read()
 	if err != nil {
 		return nil, err
@@ -84,7 +86,26 @@ func fetchOCILayoutReferrers(ctx context.Context, getDescriptor func(context.Con
 	for _, desc := range out {
 		refs = append(refs, desc)
 	}
-	return refs, nil
+	return filterOCILayoutReferrers(ctx, refs, opts...)
+}
+
+func filterOCILayoutReferrers(ctx context.Context, refs []ocispecs.Descriptor, opts ...remotes.FetchReferrersOpt) ([]ocispecs.Descriptor, error) {
+	var cfg remotes.FetchReferrersConfig
+	for _, opt := range opts {
+		if err := opt(ctx, &cfg); err != nil {
+			return nil, err
+		}
+	}
+	if len(cfg.ArtifactTypes) == 0 {
+		return refs, nil
+	}
+	out := make([]ocispecs.Descriptor, 0, len(refs))
+	for _, ref := range refs {
+		if slices.Contains(cfg.ArtifactTypes, ref.ArtifactType) {
+			out = append(out, ref)
+		}
+	}
+	return out, nil
 }
 
 // collectReachableOCILayoutReferrers walks a regular OCI layout root and records

Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,7 @@ func (r *Resolver) localStore(path string) (content.Store, error) {`
`172`	`172`
`173`	`173`	`func (r Resolver) FetchReferrers(ctx context.Context, loc Location, dgst digest.Digest, opts ...remotes.FetchReferrersOpt) ([]ocispecs.Descriptor, error) {`
`174`	`174`	`if loc.IsOCILayout() {`
`175`		`- return fetchOCILayoutReferrers(ctx, r.GetDescriptor, loc, dgst)`
	`175`	`+ return fetchOCILayoutReferrers(ctx, r.GetDescriptor, loc, dgst, opts...)`
`176`	`176`	`}`
`177`	`177`	`f, err := r.registryResolver().Fetcher(ctx, loc.String())`
`178`	`178`	`if err != nil {`