ghcr-manager 0.0.4 → 0.9.0

package/dist/ingest/github/index.js

@@ -1,20 +1,23 @@
+import { ghcrRegistryBaseUrl } from "../../config/index.js";
 import { ingestManifests } from "./_manifest-ingest.js";
+import { loadPackageMetadata } from "./_package-metadata-load.js";
 import { ingestPackageVersions } from "./_packages-client.js";
 import { defaultFetch } from "./_shared.js";
-const _GITHUB_API_BASE_URL = "https://api.github.com";
-const _REGISTRY_BASE_URL = "https://ghcr.io";
+export { loadPackageMetadata } from "./_package-metadata-load.js";
+export { defaultFetch } from "./_shared.js";
 export async function importGitHubScan(options, writer, repository, runtime) {
     const fetchImpl = runtime?.fetchImpl ?? defaultFetch;
     const scanStartedAt = new Date().toISOString();
     const fullPackageName = `${options.owner}/${options.packageName}`;
-    writer.resetScan(options.owner, options.packageName, scanStartedAt);
+    const packageMetadata = runtime?.packageMetadata ?? (await loadPackageMetadata(fetchImpl, options));
+    writer.startScan(options.owner, options.packageName, scanStartedAt, packageMetadata);
     const scanId = writer.getActiveScanId();
     options.logger.info(`Starting GitHub package scan for ${fullPackageName}`);
     try {
         options.logger.info(`Starting remote data pull for ${fullPackageName}`);
-        const counts = await ingestPackageVersions(fetchImpl, _GITHUB_API_BASE_URL, options, writer);
+        const counts = await ingestPackageVersions(fetchImpl, options, writer);
         options.logger.info(`Loaded ${counts.packageVersions} package versions and ${counts.tags} tags`);
-        await ingestManifests(fetchImpl, _REGISTRY_BASE_URL, options, writer, repository, scanId);
+        await ingestManifests(fetchImpl, ghcrRegistryBaseUrl, options, writer, repository, scanId);
         options.logger.info(`Completed remote data pull for ${fullPackageName}`);
         writer.markScanCompleted(new Date().toISOString());
         options.logger.info(`Completed GitHub package scan for ${fullPackageName}`);

package/package.json

@@ -9,7 +9,7 @@
     "type": "git",
     "url": "https://github.com/gh-workflow/ghcr-manager"
   },
-  "version": "0.0.4",
+  "version": "0.9.0",
   "type": "module",
   "engines": {
     "node": ">=20.0.0"
@@ -28,11 +28,12 @@
     "build": "tsc --project tsconfig.json",
     "coverage": "c8 --src src --reporter=text --reporter=text-summary node --import tsx --test",
     "ghcr-manager": "tsx src/cli/index.ts",
+    "ghcr-manager:dist": "node dist/cli/index.js",
     "format": "prettier --write .",
     "format:check": "prettier --check .",
     "lint": "npm run check:file-names && npm run check:test-mapping && npm run typecheck && npm run lint:ts && npm run lint:yaml && npm run lint:markdown && npm run format:check",
-    "check:file-names": "node tools/check-src-file-names.mjs",
-    "check:test-mapping": "node tools/check-test-mapping.mjs",
+    "check:file-names": "node tools/tests/check-src-file-names.mjs",
+    "check:test-mapping": "node tools/tests/check-test-mapping.mjs",
     "lint:ts": "eslint \"src/**/*.ts\" \"tests/**/*.ts\"",
     "lint:yaml": "eslint \".github/**/*.yml\" \"*.yml\"",
     "lint:markdown": "markdownlint-cli2",
@@ -51,9 +52,10 @@
     "eslint-plugin-yml": "^3.3.2",
     "globals": "^17.5.0",
     "markdownlint-cli2": "^0.22.1",
-    "prettier": "^3.6.2",
+    "prettier": "^3.8.3",
     "tsx": "^4.20.6",
+    "typescript": "^6.0.3",
     "typescript-eslint": "^8.46.2",
-    "typescript": "^6.0.3"
+    "yaml": "^2.9.0"
   }
 }

package/resources/sql/schema/001_schema.sql

@@ -5,6 +5,8 @@ CREATE TABLE IF NOT EXISTS package_scans (
   scan_uuid TEXT NOT NULL UNIQUE,
   owner TEXT NOT NULL,
   package_name TEXT NOT NULL,
+  package_metadata_json TEXT NOT NULL,
+  github_actions_run_url TEXT,
   scan_started_at TEXT NOT NULL,
   scan_completed_at TEXT,
   status TEXT NOT NULL,
@@ -14,11 +16,9 @@ CREATE TABLE IF NOT EXISTS package_scans (
 CREATE TABLE IF NOT EXISTS package_versions (
   scan_id INTEGER NOT NULL,
   version_id INTEGER NOT NULL,
-  digest TEXT NOT NULL,
   created_at TEXT NOT NULL,
   updated_at TEXT NOT NULL,
   PRIMARY KEY(scan_id, version_id),
-  UNIQUE(scan_id, version_id, digest),
   FOREIGN KEY(scan_id) REFERENCES package_scans(scan_id)
 );
 
@@ -33,14 +33,14 @@ CREATE TABLE IF NOT EXISTS package_version_payloads (
 CREATE TABLE IF NOT EXISTS tags (
   scan_id INTEGER NOT NULL,
   tag TEXT NOT NULL,
-  digest TEXT NOT NULL,
   version_id INTEGER NOT NULL,
   PRIMARY KEY(scan_id, tag),
-  FOREIGN KEY(scan_id, version_id, digest) REFERENCES package_versions(scan_id, version_id, digest)
+  FOREIGN KEY(scan_id, version_id) REFERENCES package_versions(scan_id, version_id)
 );
 
 CREATE TABLE IF NOT EXISTS manifests (
   scan_id INTEGER NOT NULL,
+  version_id INTEGER NOT NULL,
   digest TEXT NOT NULL,
   media_type TEXT NOT NULL,
   artifact_type TEXT,
@@ -50,8 +50,17 @@ CREATE TABLE IF NOT EXISTS manifests (
   platform_os TEXT,
   platform_architecture TEXT,
   platform_variant TEXT,
-  PRIMARY KEY(scan_id, digest),
-  FOREIGN KEY(scan_id) REFERENCES package_scans(scan_id)
+  manifest_kind TEXT,
+  CHECK(manifest_kind IN (
+    'image_index',
+    'image_manifest',
+    'artifact_manifest',
+    'attestation_manifest',
+    'signature_manifest'
+  )),
+  PRIMARY KEY(scan_id, version_id),
+  UNIQUE(scan_id, digest),
+  FOREIGN KEY(scan_id, version_id) REFERENCES package_versions(scan_id, version_id)
 );
 
 CREATE TABLE IF NOT EXISTS manifest_descriptors (
@@ -96,14 +105,79 @@ CREATE TABLE IF NOT EXISTS manifest_reachability (
   CHECK(min_distance >= 0)
 );
 
+CREATE TABLE IF NOT EXISTS cleanup_runs (
+  cleanup_run_id INTEGER PRIMARY KEY,
+  scan_id INTEGER NOT NULL,
+  cleanup_uuid TEXT NOT NULL,
+  cleanup_started_at TEXT NOT NULL,
+  github_actions_run_url TEXT,
+  dry_run INTEGER NOT NULL,
+  planner_inputs_json TEXT NOT NULL,
+  direct_target_tag_count INTEGER NOT NULL,
+  direct_target_root_count INTEGER NOT NULL,
+  delete_root_candidate_count INTEGER NOT NULL,
+  untag_only_root_count INTEGER NOT NULL,
+  fully_deletable_root_count INTEGER NOT NULL,
+  blocked_delete_root_count INTEGER NOT NULL,
+  protected_root_count INTEGER NOT NULL,
+  CHECK(dry_run IN (0, 1)),
+  UNIQUE(cleanup_run_id, scan_id),
+  FOREIGN KEY(scan_id) REFERENCES package_scans(scan_id)
+);
+
+CREATE TABLE IF NOT EXISTS cleanup_root_decisions (
+  cleanup_run_id INTEGER NOT NULL,
+  scan_id INTEGER NOT NULL,
+  digest TEXT NOT NULL,
+  selection_mode TEXT NOT NULL,
+  selection_reason TEXT NOT NULL,
+  validation_status TEXT NOT NULL,
+  validation_reason_code TEXT NOT NULL,
+  validation_reason TEXT NOT NULL,
+  blocking_digest TEXT,
+  overlap_digest TEXT,
+  PRIMARY KEY(cleanup_run_id, digest),
+  CHECK(validation_status IN ('fully-deletable', 'blocked', 'untag-only')),
+  CHECK(validation_reason_code IN (
+    'untag-only-partial-tag-match',
+    'fully-deletable-no-retained-overlap',
+    'blocked-overlap-with-retained-root'
+  )),
+  FOREIGN KEY(cleanup_run_id, scan_id) REFERENCES cleanup_runs(cleanup_run_id, scan_id),
+  FOREIGN KEY(scan_id, digest) REFERENCES manifests(scan_id, digest),
+  FOREIGN KEY(scan_id, blocking_digest) REFERENCES manifests(scan_id, digest),
+  FOREIGN KEY(scan_id, overlap_digest) REFERENCES manifests(scan_id, digest)
+);
+
+CREATE TABLE IF NOT EXISTS cleanup_protected_root_blocks (
+  cleanup_run_id INTEGER NOT NULL,
+  scan_id INTEGER NOT NULL,
+  protected_digest TEXT NOT NULL,
+  blocked_digest TEXT NOT NULL,
+  block_reason_code TEXT NOT NULL,
+  overlap_digest TEXT NOT NULL,
+  PRIMARY KEY(cleanup_run_id, protected_digest, blocked_digest, overlap_digest),
+  CHECK(block_reason_code IN ('overlap-with-retained-root')),
+  FOREIGN KEY(cleanup_run_id, scan_id) REFERENCES cleanup_runs(cleanup_run_id, scan_id),
+  FOREIGN KEY(scan_id, protected_digest, overlap_digest)
+    REFERENCES manifest_reachability(scan_id, ancestor_digest, descendant_digest),
+  FOREIGN KEY(scan_id, blocked_digest, overlap_digest)
+    REFERENCES manifest_reachability(scan_id, ancestor_digest, descendant_digest)
+);
+
 CREATE INDEX IF NOT EXISTS idx_package_versions_scan_created_at ON package_versions(scan_id, created_at);
-CREATE INDEX IF NOT EXISTS idx_package_versions_scan_digest ON package_versions(scan_id, digest);
 CREATE UNIQUE INDEX IF NOT EXISTS idx_package_scans_scan_uuid ON package_scans(scan_uuid);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_cleanup_runs_cleanup_uuid ON cleanup_runs(cleanup_uuid);
 CREATE INDEX IF NOT EXISTS idx_package_scans_owner_name_started_at
   ON package_scans(owner, package_name, scan_started_at DESC);
-CREATE INDEX IF NOT EXISTS idx_tags_scan_digest ON tags(scan_id, digest);
+CREATE INDEX IF NOT EXISTS idx_cleanup_runs_scan_id ON cleanup_runs(scan_id);
+CREATE INDEX IF NOT EXISTS idx_cleanup_protected_root_blocks_run_blocked
+  ON cleanup_protected_root_blocks(cleanup_run_id, blocked_digest);
+CREATE INDEX IF NOT EXISTS idx_tags_scan_version ON tags(scan_id, version_id);
 CREATE INDEX IF NOT EXISTS idx_manifest_descriptors_scan_child ON manifest_descriptors(scan_id, child_digest);
 CREATE INDEX IF NOT EXISTS idx_manifest_edges_scan_parent ON manifest_edges(scan_id, parent_digest);
 CREATE INDEX IF NOT EXISTS idx_manifest_edges_scan_child ON manifest_edges(scan_id, child_digest);
 CREATE INDEX IF NOT EXISTS idx_manifest_reachability_scan_descendant
   ON manifest_reachability(scan_id, descendant_digest);
+CREATE INDEX IF NOT EXISTS idx_manifest_reachability_scan_descendant_distance
+  ON manifest_reachability(scan_id, descendant_digest, min_distance);

package/resources/sql/views/001_v_latest_scan_per_package.sql

@@ -17,11 +17,11 @@ FROM (
              ps.scan_completed_at,
              ROW_NUMBER() OVER (
                  PARTITION BY ps.owner, ps.package_name
-                 ORDER BY ps.scan_completed_at DESC
+                 ORDER BY ps.scan_completed_at DESC, ps.scan_id DESC
                  ) AS rn
          FROM package_scans ps
          WHERE ps.scan_completed_at IS NOT NULL
            AND ps.status = 'completed'
      )
 WHERE rn = 1
-;
+;

package/resources/sql/views/003_v_scan_root_manifests.sql

@@ -0,0 +1,43 @@
+DROP VIEW IF EXISTS v_scan_root_manifests;
+
+CREATE VIEW v_scan_root_manifests AS
+SELECT
+  ps.scan_id,
+  ps.owner,
+  ps.package_name,
+  m.version_id AS root_version_id,
+  m.digest AS root_digest,
+  m.manifest_kind AS root_manifest_kind,
+  pv.created_at,
+  pv.updated_at,
+  COUNT(t.tag) AS tag_count,
+  CASE WHEN COUNT(t.tag) > 0 THEN 1 ELSE 0 END AS is_tagged,
+  CASE
+    WHEN EXISTS (
+      SELECT 1
+      FROM manifest_reachability mr
+      WHERE mr.scan_id = m.scan_id
+        AND mr.descendant_digest = m.digest
+        AND mr.min_distance > 0
+    ) THEN 1
+    ELSE 0
+  END AS has_ancestor
+FROM manifests m
+JOIN package_versions pv
+  ON pv.scan_id = m.scan_id
+ AND pv.version_id = m.version_id
+JOIN package_scans ps
+  ON ps.scan_id = m.scan_id
+LEFT JOIN tags t
+  ON t.scan_id = m.scan_id
+ AND t.version_id = m.version_id
+GROUP BY
+  ps.scan_id,
+  ps.owner,
+  ps.package_name,
+  m.version_id,
+  m.digest,
+  m.manifest_kind,
+  pv.created_at,
+  pv.updated_at
+;

package/resources/sql/views/004_v_digest_derived_tag_relations.sql

@@ -0,0 +1,51 @@
+DROP VIEW IF EXISTS v_digest_derived_tag_relations;
+
+CREATE VIEW v_digest_derived_tag_relations AS
+WITH digest_like_tags AS (
+  SELECT
+    lsp.scan_id,
+    lsp.owner,
+    lsp.package_name,
+    t.tag,
+    t.version_id AS artifact_version_id,
+    m.digest AS artifact_digest,
+    m.manifest_kind AS artifact_manifest_kind,
+    m.subject_digest AS artifact_subject_digest,
+    'sha256:' || SUBSTR(t.tag, 8, 64) AS inferred_parent_digest,
+    SUBSTR(t.tag, 72) AS tag_suffix
+  FROM tags t
+  JOIN v_latest_scan_per_package lsp
+    ON lsp.scan_id = t.scan_id
+  JOIN manifests m
+    ON m.scan_id = t.scan_id
+   AND m.version_id = t.version_id
+  WHERE t.tag LIKE 'sha256-%'
+    AND LENGTH(t.tag) >= 71
+    AND SUBSTR(t.tag, 8, 64) NOT GLOB '*[^0-9A-Fa-f]*'
+)
+SELECT
+  dlt.scan_id,
+  dlt.owner,
+  dlt.package_name,
+  dlt.tag,
+  dlt.artifact_version_id,
+  dlt.artifact_digest,
+  dlt.artifact_manifest_kind,
+  dlt.artifact_subject_digest,
+  dlt.inferred_parent_digest,
+  dlt.tag_suffix,
+  pm.version_id AS parent_version_id,
+  pm.digest AS parent_digest,
+  pm.manifest_kind AS parent_manifest_kind,
+  CASE
+    WHEN dlt.artifact_subject_digest = dlt.inferred_parent_digest THEN 1
+    ELSE 0
+  END AS subject_matches_inferred_parent,
+  CASE
+    WHEN pm.digest IS NULL THEN 0
+    ELSE 1
+  END AS parent_exists
+FROM digest_like_tags dlt
+LEFT JOIN manifests pm
+  ON pm.scan_id = dlt.scan_id
+ AND pm.digest = dlt.inferred_parent_digest;

package/resources/sql/views/005_v_cleanup_root_closure_members.sql

@@ -0,0 +1,100 @@
+DROP VIEW IF EXISTS v_cleanup_root_closure_members;
+
+CREATE VIEW v_cleanup_root_closure_members AS
+WITH selected_roots AS (
+  SELECT
+    run.cleanup_run_id,
+    run.scan_id,
+    ps.owner,
+    ps.package_name,
+    decision.digest AS root_digest,
+    root_manifest.version_id AS root_version_id,
+    root_manifest.manifest_kind AS root_manifest_kind,
+    decision.selection_mode,
+    decision.selection_reason,
+    decision.validation_status,
+    decision.validation_reason_code,
+    decision.validation_reason
+  FROM cleanup_root_decisions decision
+  JOIN cleanup_runs run
+    ON run.cleanup_run_id = decision.cleanup_run_id
+   AND run.scan_id = decision.scan_id
+  JOIN package_scans ps
+    ON ps.scan_id = run.scan_id
+  JOIN manifests root_manifest
+    ON root_manifest.scan_id = decision.scan_id
+   AND root_manifest.digest = decision.digest
+),
+closure_members AS (
+  SELECT
+    sr.cleanup_run_id,
+    sr.scan_id,
+    sr.owner,
+    sr.package_name,
+    sr.root_digest,
+    sr.root_version_id,
+    sr.root_manifest_kind,
+    sr.selection_mode,
+    sr.selection_reason,
+    sr.validation_status,
+    sr.validation_reason_code,
+    sr.validation_reason,
+    sr.root_digest AS member_digest,
+    sr.root_version_id AS member_version_id,
+    sr.root_manifest_kind AS member_manifest_kind,
+    0 AS hops_from_root,
+    'root' AS member_role
+  FROM selected_roots sr
+
+  UNION ALL
+
+  SELECT
+    sr.cleanup_run_id,
+    sr.scan_id,
+    sr.owner,
+    sr.package_name,
+    sr.root_digest,
+    sr.root_version_id,
+    sr.root_manifest_kind,
+    sr.selection_mode,
+    sr.selection_reason,
+    sr.validation_status,
+    sr.validation_reason_code,
+    sr.validation_reason,
+    member_manifest.digest AS member_digest,
+    member_manifest.version_id AS member_version_id,
+    member_manifest.manifest_kind AS member_manifest_kind,
+    reachability.min_distance AS hops_from_root,
+    'descendant' AS member_role
+  FROM selected_roots sr
+  JOIN manifest_reachability reachability
+    ON reachability.scan_id = sr.scan_id
+   AND reachability.ancestor_digest = sr.root_digest
+   AND reachability.min_distance > 0
+  JOIN manifests member_manifest
+    ON member_manifest.scan_id = sr.scan_id
+   AND member_manifest.digest = reachability.descendant_digest
+)
+SELECT
+  cm.cleanup_run_id,
+  cm.scan_id,
+  cm.owner,
+  cm.package_name,
+  cm.root_digest,
+  cm.root_version_id,
+  cm.root_manifest_kind,
+  cm.selection_mode,
+  cm.selection_reason,
+  cm.validation_status,
+  cm.validation_reason_code,
+  cm.validation_reason,
+  cm.member_digest,
+  cm.member_version_id,
+  cm.member_manifest_kind,
+  cm.hops_from_root,
+  cm.member_role,
+  tag.tag AS member_tag
+FROM closure_members cm
+LEFT JOIN tags tag
+  ON tag.scan_id = cm.scan_id
+ AND tag.version_id = cm.member_version_id;

package/resources/sql/views/006_v_cleanup_blocking_overlaps.sql

@@ -0,0 +1,42 @@
+DROP VIEW IF EXISTS v_cleanup_blocking_overlaps;
+
+CREATE VIEW v_cleanup_blocking_overlaps AS
+SELECT
+  run.cleanup_run_id,
+  run.scan_id,
+  ps.owner,
+  ps.package_name,
+  block.protected_digest,
+  protected_manifest.version_id AS protected_version_id,
+  protected_manifest.manifest_kind AS protected_manifest_kind,
+  block.blocked_digest,
+  blocked_manifest.version_id AS blocked_version_id,
+  blocked_manifest.manifest_kind AS blocked_manifest_kind,
+  decision.selection_mode AS blocked_selection_mode,
+  decision.selection_reason AS blocked_selection_reason,
+  decision.validation_status AS blocked_validation_status,
+  decision.validation_reason_code AS blocked_validation_reason_code,
+  decision.validation_reason AS blocked_validation_reason,
+  block.block_reason_code,
+  block.overlap_digest,
+  overlap_manifest.version_id AS overlap_version_id,
+  overlap_manifest.manifest_kind AS overlap_manifest_kind
+FROM cleanup_protected_root_blocks block
+JOIN cleanup_runs run
+  ON run.cleanup_run_id = block.cleanup_run_id
+ AND run.scan_id = block.scan_id
+JOIN package_scans ps
+  ON ps.scan_id = run.scan_id
+JOIN manifests protected_manifest
+  ON protected_manifest.scan_id = block.scan_id
+ AND protected_manifest.digest = block.protected_digest
+JOIN manifests blocked_manifest
+  ON blocked_manifest.scan_id = block.scan_id
+ AND blocked_manifest.digest = block.blocked_digest
+JOIN cleanup_root_decisions decision
+  ON decision.cleanup_run_id = block.cleanup_run_id
+ AND decision.scan_id = block.scan_id
+ AND decision.digest = block.blocked_digest
+LEFT JOIN manifests overlap_manifest
+  ON overlap_manifest.scan_id = block.scan_id
+ AND overlap_manifest.digest = block.overlap_digest;

package/dist/ingest/github/_paginated-ingest.d.ts

@@ -1,11 +0,0 @@
-import type { GitHubScanLogger } from "./_shared.js";
-export interface PaginatedIngestOptions<T> {
-    loadPage(page: number): Promise<T[]>;
-    writePage(pageItems: T[], page: number): Promise<void> | void;
-    logger: GitHubScanLogger;
-}
-export interface PaginatedIngestResult {
-    pages: number;
-    items: number;
-}
-export declare function ingestPaginated<T>(options: PaginatedIngestOptions<T>): Promise<PaginatedIngestResult>;

package/dist/ingest/github/_paginated-ingest.js

@@ -1,28 +0,0 @@
-import { paginatedIngestProgressIntervalPages } from "../../tuning/index.js";
-const _DEFAULT_PAGE_SIZE = 100;
-const _PROGRESS_LABEL = "GitHub package-version pages";
-export async function ingestPaginated(options) {
-    let pages = 0;
-    let items = 0;
-    let lastLoggedPage = 0;
-    for (let page = 1;; page += 1) {
-        const pageItems = await options.loadPage(page);
-        if (pageItems.length === 0) {
-            break;
-        }
-        await options.writePage(pageItems, page);
-        pages = page;
-        items += pageItems.length;
-        if (page === 1 || page % paginatedIngestProgressIntervalPages === 0 || pageItems.length < _DEFAULT_PAGE_SIZE) {
-            options.logger.info(`Loaded ${_PROGRESS_LABEL} ${page} (${items} items total)`);
-            lastLoggedPage = page;
-        }
-        if (pageItems.length < _DEFAULT_PAGE_SIZE) {
-            break;
-        }
-    }
-    if (pages > 0 && lastLoggedPage !== pages) {
-        options.logger.info(`Loaded ${_PROGRESS_LABEL} ${pages} (${items} items total)`);
-    }
-    return { pages, items };
-}

package/resources/sql/views/003_v_missing_digests_related_manifests.sql

@@ -1,78 +0,0 @@
-DROP VIEW IF EXISTS v_missing_digests_related_manifests;
-
-CREATE VIEW v_missing_digests_related_manifests AS
-WITH
-related_manifests AS (
-  SELECT DISTINCT
-    m.scan_id,
-    md.missing_digest,
-    m.digest AS related_manifest_digest,
-    m.media_type,
-    1 AS hops_missing_to_related_manifest
-  FROM v_missing_digests md
-  JOIN manifests m
-    ON m.scan_id = md.scan_id
-   AND m.digest = md.anchor_digest
-
-  UNION
-
-  SELECT DISTINCT
-    m.scan_id,
-    md.missing_digest,
-    m.digest AS related_manifest_digest,
-    m.media_type,
-    r.min_distance + 1 AS hops_missing_to_related_manifest
-  FROM v_missing_digests md
-  JOIN manifests m
-    ON m.scan_id = md.scan_id
-  JOIN manifest_reachability r
-    ON r.scan_id = m.scan_id
-   AND r.ancestor_digest = m.digest
-   AND r.descendant_digest = md.anchor_digest
-
-  UNION
-
-  SELECT DISTINCT
-    m.scan_id,
-    md.missing_digest,
-    m.digest AS related_manifest_digest,
-    m.media_type,
-    r.min_distance + 1 AS hops_missing_to_related_manifest
-  FROM v_missing_digests md
-  JOIN manifests m
-    ON m.scan_id = md.scan_id
-  JOIN manifest_reachability r
-    ON r.scan_id = m.scan_id
-   AND r.ancestor_digest = md.anchor_digest
-   AND r.descendant_digest = m.digest
-),
-closest_related_manifests AS (
-  SELECT
-    scan_id,
-    missing_digest,
-    related_manifest_digest,
-    media_type,
-    MIN(hops_missing_to_related_manifest) AS hops_missing_to_related_manifest
-  FROM related_manifests
-  GROUP BY
-    missing_digest,
-    scan_id,
-    related_manifest_digest,
-    media_type
-)
-SELECT
-  ps.scan_id,
-  ps.owner,
-  ps.package_name,
-  crm.missing_digest,
-  crm.related_manifest_digest,
-  crm.media_type,
-  crm.hops_missing_to_related_manifest,
-  t.tag,
-  t.version_id
-FROM closest_related_manifests crm
-JOIN package_scans ps
-  ON ps.scan_id = crm.scan_id
-LEFT JOIN tags t
-  ON t.scan_id = crm.scan_id
- AND t.digest = crm.related_manifest_digest;