ci(build): query scorecard image tags with registry v2 api

[tthvo]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

---

Fixes: #914

Description of the change:

• Replaced podman search with curl to registry v2 api (quay.io is compatible). References: https://docker-docs.uclv.cu/registry/spec/api/#existing-manifests
• This sends HEAD request to /v2/<name>/manifests/<reference> to check if an image exists for the specified tag.

Motivation for the change:

See #914. I avoided fetching tags since the tag list can grow rather large with time. This method should basically query in constant time and also skip pulling the image layers.

How to manually test:

Check if a image for specified tag exists:

TAG=3.0.1-20240704162318
curl -ILs -o /dev/null https://quay.io/v2/cryostat/cryostat-operator-scorecard/manifests/$TAG -w "%{http_code}"

Sample run: https://github.com/tthvo/cryostat-operator/actions/runs/9884455121/job/27300862066

[ebaron]

Looks good to me, thanks @tthvo!

[andrewazores]

A bit late now, but I think skopeo inspect could have also been useful here. It would retrieve metadata about the image rather than simply checking that it exists so it would probably be a bit slower, but it it's nice and easy to read:

$ skopeo inspect --no-tags docker://quay.io/cryostat/cryostat:3.0.0 >/dev/null 2>&1
$ echo $?
0
$ time skopeo inspect --no-tags docker://quay.io/cryostat/cryostat:3.0.0 >/dev/null 2>&1

real	0m1.074s
user	0m0.020s
sys	0m0.026s

$ skopeo inspect --no-tags docker://quay.io/cryostat/cryostat:4.0.0 >/dev/null 2>&1
$ echo $?
1
$ time skopeo inspect --no-tags docker://quay.io/cryostat/cryostat:4.0.0 >/dev/null 2>&1

real	0m0.853s
user	0m0.020s
sys	0m0.019s

[tthvo]

Oh nicee! Thanks @andrewazores, I didn't know skopeo is available. I guess its a bit nicer with curl to distinguish a 404 and other fails (i.e. 500, 401, or just the command error)?

[andrewazores]

If you leave off the >/dev/null 2>&1, skopeo will give you some nicer output about any errors it runs into:

$ skopeo inspect --no-tags docker://quay.io/cryostat/cryostat:4.0.0
FATA[0000] Error parsing image name "docker://quay.io/cryostat/cryostat:4.0.0": reading manifest 4.0.0 in quay.io/cryostat/cryostat: manifest unknown

$ skopeo inspect --no-tags --username notme --password incorrect docker://quay.io/cryostat/cryostat:4.0.0
FATA[0000] Error parsing image name "docker://quay.io/cryostat/cryostat:4.0.0": unable to retrieve auth token: invalid username/password: unauthorized: Invalid Username or Password

But in both of these cases, $? is just 1. So if the script somehow wants to take different actions depending on the failure mode then the curl is more useful.

[tthvo]

Make sense thanks! I think we can note this for future refactoring of the ci yaml.