Do not copy referrers in CopyBaseImages (#2073)

lbussell · web-flow · commit 827b54e64c7a · 2026-04-10T12:33:30.000-07:00
diff --git a/src/ImageBuilder.Tests/BuildCommandTests.cs b/src/ImageBuilder.Tests/BuildCommandTests.cs
@@ -3704,6 +3704,7 @@ private static void VerifyImportImage(Mock<ICopyImageService> copyImageServiceMo
                         destTagNames,
                         destRegistryName,
                         srcTagName,
+                        true,
                         srcRegistryName,
                         It.IsAny<ContainerRegistryImportSourceCredentials>(),
                         false));
diff --git a/src/ImageBuilder.Tests/CopyAcrImagesCommandTests.cs b/src/ImageBuilder.Tests/CopyAcrImagesCommandTests.cs
@@ -104,6 +104,7 @@ public async Task CopyAcrImagesCommand_CustomDockerfileName()
                             new string[] { expectedTag },
                             manifest.Registry,
                             expectedTag,
+                            true,
                             SourceRegistry,
                             null,
                             false));
@@ -205,6 +206,7 @@ public async Task CopyAcrImagesCommand_SharedDockerfile()
                             new string[] { expectedTag },
                             manifest.Registry,
                             expectedTag,
+                            true,
                             SourceRegistry,
                             null,
                             false));
@@ -318,6 +320,7 @@ public async Task CopyAcrImagesCommand_RuntimeDepsSharing()
                             new string[] { expectedTag },
                             manifest.Registry,
                             expectedTag,
+                            true,
                             SourceRegistry,
                             null,
                             false));
@@ -431,6 +434,7 @@ public async Task SyndicatedTags()
                             new string[] { expectedTag },
                             manifest.Registry,
                             It.IsAny<string>(),
+                            true,
                             SourceRegistry,
                             null,
                             false));
@@ -516,6 +520,7 @@ public async Task CopyAcrImagesCommand_CopiesManifestListTags()
                     new string[] { $"test/runtime:tag1" },
                     DestinationRegistry,
                     "test/runtime:tag1",
+                    true,
                     SourceRegistry,
                     null,
                     false));
@@ -526,6 +531,7 @@ public async Task CopyAcrImagesCommand_CopiesManifestListTags()
                     new string[] { $"test/runtime:shared1" },
                     DestinationRegistry,
                     "test/runtime:shared1",
+                    true,
                     SourceRegistry,
                     null,
                     false));
@@ -535,6 +541,7 @@ public async Task CopyAcrImagesCommand_CopiesManifestListTags()
                     new string[] { $"test/runtime:shared2" },
                     DestinationRegistry,
                     "test/runtime:shared2",
+                    true,
                     SourceRegistry,
                     null,
                     false));
@@ -628,6 +635,7 @@ public async Task CopyAcrImagesCommand_CopiesSyndicatedManifestListTags()
                     new string[] { $"test/runtime:tag1" },
                     DestinationRegistry,
                     "test/runtime:tag1",
+                    true,
                     SourceRegistry,
                     null,
                     false));
@@ -638,6 +646,7 @@ public async Task CopyAcrImagesCommand_CopiesSyndicatedManifestListTags()
                     new string[] { $"test/runtime:shared1" },
                     DestinationRegistry,
                     "test/runtime:shared1",
+                    true,
                     SourceRegistry,
                     null,
                     false));
@@ -648,6 +657,7 @@ public async Task CopyAcrImagesCommand_CopiesSyndicatedManifestListTags()
                     new string[] { $"test/runtime2:syn-shared1" },
                     DestinationRegistry,
                     "test/runtime2:syn-shared1",
+                    true,
                     SourceRegistry,
                     null,
                     false));
@@ -721,6 +731,7 @@ public async Task CopyAcrImagesCommand_SkipsManifestListsWithNoManifestData()
                     new string[] { $"test/runtime:tag1" },
                     DestinationRegistry,
                     It.IsAny<string>(),
+                    true,
                     SourceRegistry,
                     null,
                     false));
diff --git a/src/ImageBuilder.Tests/CopyBaseImagesCommandTests.cs b/src/ImageBuilder.Tests/CopyBaseImagesCommandTests.cs
@@ -93,6 +93,7 @@ public async Task MultipleBaseTags()
                             new string[] { expectedTagInfo.TargetTag },
                             manifest.Registry,
                             expectedTagInfo.SourceImage,
+                            false,
                             expectedTagInfo.Registry,
                             It.Is<ContainerRegistryImportSourceCredentials>(creds => creds.Username == expectedTagInfo.Username && creds.Password == expectedTagInfo.Password),
                             false));
@@ -167,6 +168,7 @@ public async Task OverridenBaseTag()
                             new string[] { expectedTagInfo.TargetTag },
                             manifest.Registry,
                             expectedTagInfo.SourceImage,
+                            false,
                             expectedTagInfo.Registry,
                             It.Is<ContainerRegistryImportSourceCredentials>(creds => (creds == null && expectedTagInfo.Username == null) || (creds.Username == expectedTagInfo.Username && creds.Password == expectedTagInfo.Password)),
                             false));
diff --git a/src/ImageBuilder.Tests/CopyImageServiceTests.cs b/src/ImageBuilder.Tests/CopyImageServiceTests.cs
@@ -46,7 +46,9 @@ await Should.NotThrowAsync(() =>
                 destAcrName: "myacr.azurecr.io",
                 srcTagName: "repo:tag",
                 srcRegistryName: "docker.io",
-                isDryRun: true));
+                sourceCredentials: null,
+                isDryRun: true,
+                copyReferrers: true));
     }
 
     /// <summary>
@@ -94,7 +96,9 @@ await service.ImportImageAsync(
             destAcrName: "myacr.azurecr.io",
             srcTagName: "repo:tag",
             srcRegistryName: "docker.io",
-            isDryRun: false);
+            sourceCredentials: null,
+            isDryRun: false,
+            copyReferrers: true);
 
         // Verify the importer was called, proving execution reached the import step
         // (past the external registry lookup that previously threw)
@@ -137,7 +141,9 @@ await service.ImportImageAsync(
             destAcrName: "myacr.azurecr.io",
             srcTagName: "repo:tag",
             srcRegistryName: "myacr.azurecr.io",
-            isDryRun: false);
+            sourceCredentials: null,
+            isDryRun: false,
+            copyReferrers: true);
 
         // Main image import with TargetTags
         mockImporter.Verify(
@@ -203,7 +209,9 @@ await service.ImportImageAsync(
             destAcrName: "myacr.azurecr.io",
             srcTagName: "repo:tag",
             srcRegistryName: "myacr.azurecr.io",
-            isDryRun: false);
+            sourceCredentials: null,
+            isDryRun: false,
+            copyReferrers: true);
 
         mockImporter.Verify(
             x => x.ImportImageAsync(
@@ -213,6 +221,47 @@ await service.ImportImageAsync(
             Times.Once);
     }
 
+    /// <summary>
+    /// When copyReferrers is false, referrer discovery and referrer imports are
+    /// both skipped. Only the main image is imported.
+    /// </summary>
+    [Fact]
+    public async Task ImportImageAsync_CopyReferrersFalse_SkipsReferrerDiscoveryAndImport()
+    {
+        PublishConfiguration publishConfig = CreateAcrPublishConfig("myacr.azurecr.io");
+
+        var mockImporter = new Mock<IAcrImageImporter>();
+        var mockOras = new Mock<IOrasService>();
+
+        var service = new CopyImageService(
+            Mock.Of<ILogger<CopyImageService>>(),
+            mockImporter.Object,
+            mockOras.Object,
+            ConfigurationHelper.CreateOptionsMock(publishConfig));
+
+        await service.ImportImageAsync(
+            destTagNames: ["mirror/repo:tag"],
+            destAcrName: "myacr.azurecr.io",
+            srcTagName: "repo:tag",
+            srcRegistryName: "myacr.azurecr.io",
+            sourceCredentials: null,
+            isDryRun: false,
+            copyReferrers: false);
+
+        // GetReferrersAsync should never be called when copyReferrers is false
+        mockOras.Verify(
+            o => o.GetReferrersAsync(It.IsAny<string>(), It.IsAny<bool>(), It.IsAny<CancellationToken>()),
+            Times.Never);
+
+        // Only the main image should be imported (no referrers)
+        mockImporter.Verify(
+            x => x.ImportImageAsync(
+                It.IsAny<string>(),
+                It.IsAny<ResourceIdentifier>(),
+                It.IsAny<ContainerRegistryImportImageContent>()),
+            Times.Once);
+    }
+
     /// <summary>
     /// In dry-run mode, referrer discovery and ACR imports are both skipped.
     /// The ORAS service receives the dry-run flag and returns an empty list
@@ -239,7 +288,9 @@ await service.ImportImageAsync(
             destAcrName: "myacr.azurecr.io",
             srcTagName: "repo:tag",
             srcRegistryName: "myacr.azurecr.io",
-            isDryRun: true);
+            sourceCredentials: null,
+            isDryRun: true,
+            copyReferrers: true);
 
         mockOras.Verify(
             o => o.GetReferrersAsync(It.IsAny<string>(), true, It.IsAny<CancellationToken>()),
diff --git a/src/ImageBuilder/Commands/BuildCommand.cs b/src/ImageBuilder/Commands/BuildCommand.cs
@@ -624,6 +624,7 @@ await _copyImageService.ImportImageAsync(
                 destTagNames: destTags,
                 destAcrName: Manifest.Registry,
                 srcTagName: DockerHelper.TrimRegistry(sourceDigest, srcRegistry),
+                copyReferrers: true,
                 srcRegistryName: srcRegistry);
 
             // Redefine the source digest to be from the destination of the copy, not the source. The canonical scenario
diff --git a/src/ImageBuilder/Commands/CopyAcrImagesCommand.cs b/src/ImageBuilder/Commands/CopyAcrImagesCommand.cs
@@ -59,6 +59,7 @@ public override async Task ExecuteAsync()
                                 DockerHelper.TrimRegistry(tagInfo.DestinationTag, Manifest.Registry),
                                 Manifest.Registry,
                                 DockerHelper.TrimRegistry(tagInfo.SourceTag, Options.SourceRegistry),
+                                copyReferrers: true,
                                 srcRegistryName: Options.SourceRegistry)))
                 .SelectMany(tasks => tasks);
 
@@ -68,6 +69,7 @@ public override async Task ExecuteAsync()
                         DockerHelper.TrimRegistry(tagInfo.DestinationTag, Manifest.Registry),
                         Manifest.Registry,
                         DockerHelper.TrimRegistry(tagInfo.SourceTag, Options.SourceRegistry),
+                        copyReferrers: true,
                         srcRegistryName: Options.SourceRegistry));
 
             await Task.WhenAll(platformImportTasks.Concat(manifestListImportTasks));
diff --git a/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs b/src/ImageBuilder/Commands/CopyBaseImagesCommand.cs
@@ -95,8 +95,13 @@ private Task CopyImageAsync(string fromImage, string destinationRegistryName)
                 };
             }
 
-            return ImportImageAsync($"{Options.RepoPrefix}{fromImage}", destinationRegistryName, srcImage,
-                srcRegistryName: registry, sourceCredentials: importSourceCreds);
+            return ImportImageAsync(
+                destTagName: $"{Options.RepoPrefix}{fromImage}",
+                destRegistryName: destinationRegistryName,
+                srcTagName: srcImage,
+                srcRegistryName: registry,
+                sourceCredentials: importSourceCreds,
+                copyReferrers: false);
         }
     }
 }
diff --git a/src/ImageBuilder/Commands/CopyImagesCommand.cs b/src/ImageBuilder/Commands/CopyImagesCommand.cs
@@ -22,6 +22,7 @@ protected Task ImportImageAsync(
         string destTagName,
         string destRegistryName,
         string srcTagName,
+        bool copyReferrers,
         string? srcRegistryName = null,
         ContainerRegistryImportSourceCredentials? sourceCredentials = null) =>
             _copyImageService.ImportImageAsync(
@@ -30,5 +31,6 @@ protected Task ImportImageAsync(
                 srcTagName: srcTagName,
                 srcRegistryName: srcRegistryName,
                 sourceCredentials: sourceCredentials,
-                isDryRun: Options.IsDryRun);
+                isDryRun: Options.IsDryRun,
+                copyReferrers: copyReferrers);
 }
diff --git a/src/ImageBuilder/CopyImageService.cs b/src/ImageBuilder/CopyImageService.cs
@@ -20,6 +20,7 @@ Task ImportImageAsync(
         string[] destTagNames,
         string destAcrName,
         string srcTagName,
+        bool copyReferrers,
         string? srcRegistryName = null,
         ContainerRegistryImportSourceCredentials? sourceCredentials = null,
         bool isDryRun = false);
@@ -48,6 +49,7 @@ public async Task ImportImageAsync(
         string[] destTagNames,
         string destAcrName,
         string srcTagName,
+        bool copyReferrers,
         string? srcRegistryName = null,
         ContainerRegistryImportSourceCredentials? sourceCredentials = null,
         bool isDryRun = false)
@@ -57,17 +59,17 @@ public async Task ImportImageAsync(
         string sourceImageName = DockerHelper.GetImageName(srcRegistryName, srcTagName);
         string destRepo = destTagNames.First().Split(':')[0].Split('@')[0];
 
-        // Discover referrers (signatures, SBOMs, etc.) for the source image.
-        IReadOnlyList<ReferrerInfo> referrers =
-            await _orasService.GetReferrersAsync(reference: sourceImageName, isDryRun: isDryRun);
+        IReadOnlyList<ReferrerInfo> referrers = copyReferrers
+            ? await _orasService.GetReferrersAsync(reference: sourceImageName, isDryRun: isDryRun)
+            : [];
 
         var destinationImageNames =
             destTagNames.Select(tag => $"'{DockerHelper.GetImageName(destAcr.Server, tag)}'").ToList();
         string formattedDestinationImages = string.Join(", ", destinationImageNames);
 
         _logger.LogInformation(
-            "Importing {DestinationImages} and {ReferrerCount} referrer(s) from '{SourceImage}' (DryRun={DryRun})",
-            formattedDestinationImages, referrers.Count, sourceImageName, isDryRun);
+            "Importing {DestinationImages} and {ReferrerCount} referrer(s) from '{SourceImage}' (DryRun={DryRun}, CopyReferrers={CopyReferrers})",
+            formattedDestinationImages, referrers.Count, sourceImageName, isDryRun, copyReferrers);
 
         if (isDryRun)
         {

Original file line number	Diff line number	Diff line change
`@@ -95,8 +95,13 @@ private Task CopyImageAsync(string fromImage, string destinationRegistryName)`
`95`	`95`	`};`
`96`	`96`	`}`
`97`	`97`
`98`		`- return ImportImageAsync($"{Options.RepoPrefix}{fromImage}", destinationRegistryName, srcImage,`
`99`		`- srcRegistryName: registry, sourceCredentials: importSourceCreds);`
	`98`	`+ return ImportImageAsync(`
	`99`	`+ destTagName: $"{Options.RepoPrefix}{fromImage}",`
	`100`	`+ destRegistryName: destinationRegistryName,`
	`101`	`+ srcTagName: srcImage,`
	`102`	`+ srcRegistryName: registry,`
	`103`	`+ sourceCredentials: importSourceCreds,`
	`104`	`+ copyReferrers: false);`
`100`	`105`	`}`
`101`	`106`	`}`
`102`	`107`	`}`