ghcr-manager 0.9.5 → 0.9.7

package/dist/cli/_tag-selector-resolver.js

@@ -1,3 +1,7 @@
+const BrokenIndexModes = {
+    allMissing: "all-missing",
+    someMissing: "some-missing"
+};
 export function resolveTagSelectors(database, inputs) {
     if (!inputs.deleteGhostImages && !inputs.deletePartialImages && !inputs.deleteOrphanedImages) {
         return inputs;
@@ -14,13 +18,13 @@ export function resolveTagSelectors(database, inputs) {
     };
 }
 function _listLatestGhostTags(database, owner, packageName, cutoffTimestamp) {
-    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, "all-missing");
+    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, BrokenIndexModes.allMissing);
 }
 function _listLatestPartialTags(database, owner, packageName, cutoffTimestamp) {
-    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, "some-missing");
+    return _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, BrokenIndexModes.someMissing);
 }
 function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestamp, mode) {
-    const havingClause = mode === "all-missing"
+    const havingClause = mode === BrokenIndexModes.allMissing
         ? "COUNT(*) > 0 AND COUNT(child.digest) = 0"
         : "COUNT(child.digest) > 0 AND COUNT(child.digest) < COUNT(*)";
     const rows = database
@@ -30,7 +34,6 @@ function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestam
           FROM v_latest_scan_per_package
           WHERE owner = ?
             AND package_name = ?
-          LIMIT 1
         ),
         ghost_roots AS (
           SELECT
@@ -77,7 +80,7 @@ function _listLatestBrokenIndexTags(database, owner, packageName, cutoffTimestam
     return rows.map((row) => row.tag);
 }
 // Some OCI tooling publishes companion artifacts such as signatures or attestations under
-// digest-derived tags in the same repository, for example `sha256-<digest>.sig`, while the
+// digest tags in the same repository, for example `sha256-<digest>.sig`, while the
 // actual relationship is the artifact's subject/referrer link to the parent digest.
 //
 // Public references:
@@ -94,7 +97,7 @@ function _listLatestOrphanedTags(database, owner, packageName, cutoffTimestamp)
     const rows = database
         .prepare(`
         SELECT DISTINCT dtr.tag
-        FROM v_digest_derived_tag_relations dtr
+        FROM v_digest_tag_relations dtr
         INNER JOIN package_versions pv
           ON pv.scan_id = dtr.scan_id
          AND pv.version_id = dtr.artifact_version_id

package/dist/cli/_untag-command.js

@@ -1,5 +1,6 @@
 import { listPackageVersionTagSources, untagRootTags } from "../execute/index.js";
 import { collectRepeatedOption, hasFlag, requireOption, resolveLogLevel, resolveToken } from "./_args.js";
+import { writeJsonOutput } from "./_json-output.js";
 import { createLogger } from "./_logger.js";
 export async function handleUntag(args) {
     const owner = requireOption(args, "--owner");
@@ -35,7 +36,7 @@ export async function handleUntag(args) {
         roots,
         untaggedTags
     };
-    console.log(JSON.stringify(summary));
+    writeJsonOutput(args, "--summary-json-path", summary);
     return 0;
 }
 function _groupTagSources(tagSources) {

package/dist/cli/index.js

@@ -26,10 +26,10 @@ export async function main(argv) {
 }
 function printUsage() {
     console.error(`Usage:
-  ghcr-manager cleanup --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] --owner <org> --package <name> [--token <token>] <cleanup selectors...> [--exclude-tag <tag> ...] [--use-regex] [--older-than <interval>]
+  ghcr-manager cleanup --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] [--summary-json-path <path>] --owner <org> --package <name> [--token <token>] <cleanup selectors...> [--exclude-tag <tag> ...] [--use-regex] [--older-than <interval>]
   ghcr-manager db-merge --db <target-path> --source-db <path> [--source-db <path> ...]
   ghcr-manager scan --db <path> [--log-level <trace|debug|info|warn|error|silent>] [--github-output <path>] --owner <org> --package <name> --token <token>
-  ghcr-manager untag [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] --owner <org> --package <name> --token <token> --tag <tag> [--tag <tag> ...]
+  ghcr-manager untag [--log-level <trace|debug|info|warn|error|silent>] [--dry-run] [--summary-json-path <path>] --owner <org> --package <name> --token <token> --tag <tag> [--tag <tag> ...]
 
 Cleanup selectors:
   --delete-untagged

package/dist/core/_digest-tag.d.ts

@@ -0,0 +1,2 @@
+export declare function isDigestTag(tag: string): boolean;
+export declare function digestFromDigestTag(tag: string): string | null;

package/dist/core/_digest-tag.js

@@ -0,0 +1,12 @@
+export function isDigestTag(tag) {
+    return tag.startsWith("sha256-") && tag.length >= 71 && !_containsNonHex(tag.slice(7, 71));
+}
+export function digestFromDigestTag(tag) {
+    if (!isDigestTag(tag)) {
+        return null;
+    }
+    return `sha256:${tag.slice(7, 71)}`;
+}
+function _containsNonHex(value) {
+    return /[^0-9A-Fa-f]/.test(value);
+}

package/dist/core/_types.d.ts

@@ -1,4 +1,13 @@
-export type ManifestKind = "image_index" | "image_manifest" | "artifact_manifest" | "attestation_manifest" | "signature_manifest";
+export declare const ManifestKinds: {
+    readonly indexManifest: "index_manifest";
+    readonly crossArchManifest: "cross_arch_manifest";
+    readonly imageManifest: "image_manifest";
+    readonly artifactManifest: "artifact_manifest";
+    readonly attestationManifest: "attestation_manifest";
+    readonly signatureManifest: "signature_manifest";
+};
+export type ManifestKind = (typeof ManifestKinds)[keyof typeof ManifestKinds];
+export type ManifestEdgeKind = "image-child" | "referrer" | "digest-tag-referrer";
 export interface PackageVersionRecord {
     versionId: number;
     createdAt: string;
@@ -38,7 +47,7 @@ export interface ManifestDescriptorRecord {
 export interface ManifestEdgeRecord {
     parentDigest: string;
     childDigest: string;
-    edgeKind: "image-child" | "referrer";
+    edgeKind: ManifestEdgeKind;
 }
 export interface PackageSnapshot {
     packageName: string;

package/dist/core/_types.js

@@ -1 +1,8 @@
-export {};
+export const ManifestKinds = {
+    indexManifest: "index_manifest",
+    crossArchManifest: "cross_arch_manifest",
+    imageManifest: "image_manifest",
+    artifactManifest: "artifact_manifest",
+    attestationManifest: "attestation_manifest",
+    signatureManifest: "signature_manifest"
+};

package/dist/core/index.d.ts

@@ -1,4 +1,6 @@
-export type { ManifestEdgeRecord, ManifestDescriptorRecord, ManifestKind, ManifestRecord, PackageSnapshot, PackageVersionRecord, TagRecord } from "./_types.js";
+export type { ManifestEdgeKind, ManifestEdgeRecord, ManifestDescriptorRecord, ManifestKind, ManifestRecord, PackageSnapshot, PackageVersionRecord, TagRecord } from "./_types.js";
+export { ManifestKinds } from "./_types.js";
 export type { HttpErrorResponse } from "./_http-error.js";
 export { buildHttpErrorMessage } from "./_http-error.js";
 export { getOwnerURIComponent } from "./_github-package-owner.js";
+export { digestFromDigestTag, isDigestTag } from "./_digest-tag.js";

package/dist/core/index.js

@@ -1,2 +1,4 @@
+export { ManifestKinds } from "./_types.js";
 export { buildHttpErrorMessage } from "./_http-error.js";
 export { getOwnerURIComponent } from "./_github-package-owner.js";
+export { digestFromDigestTag, isDigestTag } from "./_digest-tag.js";

package/dist/db/_cleanup-run-writer.d.ts

@@ -1,5 +1,5 @@
 import type Database from "better-sqlite3";
-import type { DeletePlan } from "./planner/index.js";
+import { type DeletePlan } from "./planner/index.js";
 export declare class CleanupRunWriter {
     #private;
     constructor(database: Database.Database);

package/dist/db/_cleanup-run-writer.js

@@ -1,73 +1,113 @@
 import { randomUUID } from "node:crypto";
 import { resolveGitHubActionsRunUrl } from "./_github-actions-run-url.js";
+import { DeletePlanValidationStatuses } from "./planner/index.js";
 export class CleanupRunWriter {
     #database;
+    #insertSelectedTagStatement;
+    #updateSelectedTagsDeletedStatement;
+    #insertRootDecisionStatement;
+    #insertProtectedRootBlockStatement;
+    #insertCleanupRunStatement;
     constructor(database) {
         this.#database = database;
+        this.#insertSelectedTagStatement = this.#database.prepare(`
+      INSERT INTO cleanup_selected_tags(
+        cleanup_run_id,
+        scan_id,
+        tag,
+        is_deleted
+      )
+      VALUES(?, ?, ?, 0)
+    `);
+        this.#updateSelectedTagsDeletedStatement = this.#database.prepare(`
+      UPDATE cleanup_selected_tags
+      SET is_deleted = 1
+      FROM cleanup_root_decisions decision
+      JOIN manifests manifest
+        ON manifest.scan_id = decision.scan_id
+       AND manifest.digest = decision.digest
+      JOIN tags
+        ON tags.scan_id = manifest.scan_id
+       AND tags.version_id = manifest.version_id
+      WHERE cleanup_selected_tags.cleanup_run_id = ?
+        AND cleanup_selected_tags.scan_id = ?
+        AND decision.cleanup_run_id = cleanup_selected_tags.cleanup_run_id
+        AND decision.scan_id = cleanup_selected_tags.scan_id
+        AND decision.validation_status != 'blocked'
+        AND tags.tag = cleanup_selected_tags.tag
+    `);
+        this.#insertRootDecisionStatement = this.#database.prepare(`
+      INSERT INTO cleanup_root_decisions(
+        cleanup_run_id,
+        scan_id,
+        digest,
+        selection_mode,
+        selection_reason,
+        validation_status,
+        validation_reason_code,
+        validation_reason,
+        blocking_digest,
+        overlap_digest
+      )
+      VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
+        this.#insertProtectedRootBlockStatement = this.#database.prepare(`
+      INSERT INTO cleanup_protected_root_blocks(
+        cleanup_run_id,
+        scan_id,
+        protected_digest,
+        blocked_digest,
+        block_reason_code,
+        overlap_digest
+      )
+      VALUES(?, ?, ?, ?, ?, ?)
+    `);
+        this.#insertCleanupRunStatement = this.#database.prepare(`
+      INSERT INTO cleanup_runs(
+        scan_id,
+        cleanup_uuid,
+        cleanup_started_at,
+        github_actions_run_url,
+        dry_run,
+        planner_inputs_json,
+        direct_target_tag_count,
+        direct_target_root_count,
+        delete_root_candidate_count,
+        untag_only_root_count,
+        fully_deletable_root_count,
+        blocked_delete_root_count,
+        protected_root_count
+      )
+      VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
     }
     persistCleanupRun(scanId, plan, options) {
         return this.#database.transaction(() => {
             const cleanupRunId = this.#insertCleanupRun(scanId, plan, options);
             for (const rootDecision of plan.rootDecisions) {
-                this.#database
-                    .prepare(`
-              INSERT INTO cleanup_root_decisions(
-                cleanup_run_id,
-                scan_id,
-                digest,
-                selection_mode,
-                selection_reason,
-                validation_status,
-                validation_reason_code,
-                validation_reason,
-                blocking_digest,
-                overlap_digest
-              )
-              VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            `)
-                    .run(cleanupRunId, scanId, rootDecision.digest, rootDecision.selectionMode, rootDecision.selectionReason, rootDecision.validationStatus, rootDecision.validationReasonCode, rootDecision.validationReason, rootDecision.blockingDigest ?? null, rootDecision.overlapDigest ?? null);
+                this.#insertRootDecisionStatement.run(cleanupRunId, scanId, rootDecision.digest, rootDecision.selectionMode, rootDecision.selectionReason, rootDecision.validationStatus, rootDecision.validationReasonCode, rootDecision.validationReason, rootDecision.blockingDigest ?? null, rootDecision.overlapDigest ?? null);
             }
             for (const protectedRoot of plan.protectedRoots) {
                 for (const block of protectedRoot.blocks) {
-                    this.#database
-                        .prepare(`
-                INSERT INTO cleanup_protected_root_blocks(
-                  cleanup_run_id,
-                  scan_id,
-                  protected_digest,
-                  blocked_digest,
-                  block_reason_code,
-                  overlap_digest
-                )
-                VALUES(?, ?, ?, ?, ?, ?)
-              `)
-                        .run(cleanupRunId, scanId, protectedRoot.digest, block.blockedDigest, block.blockReasonCode, block.overlapDigest);
+                    this.#insertProtectedRootBlockStatement.run(cleanupRunId, scanId, protectedRoot.digest, block.blockedDigest, block.blockReasonCode, block.overlapDigest);
                 }
             }
+            for (const tag of plan.directTargetTags) {
+                this.#insertSelectedTagStatement.run(cleanupRunId, scanId, tag);
+            }
+            this.#updateSelectedTagsDeletedStatement.run(cleanupRunId, scanId);
             return cleanupRunId;
         })();
     }
     #insertCleanupRun(scanId, plan, options) {
-        const result = this.#database
-            .prepare(`
-          INSERT INTO cleanup_runs(
-            scan_id,
-            cleanup_uuid,
-            cleanup_started_at,
-            github_actions_run_url,
-            dry_run,
-            planner_inputs_json,
-            direct_target_tag_count,
-            direct_target_root_count,
-            delete_root_candidate_count,
-            untag_only_root_count,
-            fully_deletable_root_count,
-            blocked_delete_root_count,
-            protected_root_count
-          )
-          VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-        `)
-            .run(scanId, randomUUID(), options.cleanupStartedAt, resolveGitHubActionsRunUrl(), options.dryRun ? 1 : 0, JSON.stringify(plan.plannerInputs), plan.validationSummary.directTargetTagCount, plan.validationSummary.directTargetRootCount, plan.validationSummary.deleteRootCandidateCount, plan.validationSummary.untagOnlyRootCount, plan.validationSummary.fullyDeletableRootCount, plan.validationSummary.blockedDeleteRootCount, plan.validationSummary.protectedRootCount);
+        const directTargetTagCount = plan.directTargetTags.length;
+        const directTargetRootCount = plan.directTargetRoots.length;
+        const deleteRootCandidateCount = plan.directTargetRoots.filter((root) => root.selectionMode === "delete-root").length;
+        const untagOnlyRootCount = plan.rootDecisions.filter((decision) => decision.validationStatus === DeletePlanValidationStatuses.untagOnly).length;
+        const fullyDeletableRootCount = plan.fullyDeletableRoots.length;
+        const blockedDeleteRootCount = plan.rootDecisions.filter((decision) => decision.validationStatus === DeletePlanValidationStatuses.blocked).length;
+        const protectedRootCount = plan.protectedRoots.length;
+        const result = this.#insertCleanupRunStatement.run(scanId, randomUUID(), options.cleanupStartedAt, resolveGitHubActionsRunUrl(), options.dryRun ? 1 : 0, JSON.stringify(plan.plannerInputs), directTargetTagCount, directTargetRootCount, deleteRootCandidateCount, untagOnlyRootCount, fullyDeletableRootCount, blockedDeleteRootCount, protectedRootCount);
         return Number(result.lastInsertRowid);
     }
 }

package/dist/db/_db-merge-cleanup-copy.js

@@ -1,7 +1,30 @@
 export class DbMergeCleanupCopy {
     #database;
+    #insertCleanupRunStatement;
+    #copyRootDecisionsStatementByAttachName = new Map();
+    #copySelectedTagsStatementByAttachName = new Map();
+    #copyProtectedRootBlocksStatementByAttachName = new Map();
+    #listCleanupUuidsStatementByTableName = new Map();
     constructor(database) {
         this.#database = database;
+        this.#insertCleanupRunStatement = this.#database.prepare(`
+      INSERT INTO cleanup_runs(
+        scan_id,
+        cleanup_uuid,
+        cleanup_started_at,
+        github_actions_run_url,
+        dry_run,
+        planner_inputs_json,
+        direct_target_tag_count,
+        direct_target_root_count,
+        delete_root_candidate_count,
+        untag_only_root_count,
+        fully_deletable_root_count,
+        blocked_delete_root_count,
+        protected_root_count
+      )
+      VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `);
     }
     copyCleanupRuns(attachName, sourceScanId, targetScanId, existingCleanupUuids) {
         const rows = this.#database
@@ -31,92 +54,119 @@ export class DbMergeCleanupCopy {
             if (knownCleanupUuids.has(row.cleanup_uuid)) {
                 continue;
             }
-            const cleanupRunId = Number(this.#database
-                .prepare(`
-              INSERT INTO cleanup_runs(
-                scan_id,
-                cleanup_uuid,
-                cleanup_started_at,
-                github_actions_run_url,
-                dry_run,
-                planner_inputs_json,
-                direct_target_tag_count,
-                direct_target_root_count,
-                delete_root_candidate_count,
-                untag_only_root_count,
-                fully_deletable_root_count,
-                blocked_delete_root_count,
-                protected_root_count
-              )
-              VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            `)
-                .run(targetScanId, row.cleanup_uuid, row.cleanup_started_at, row.github_actions_run_url, row.dry_run, row.planner_inputs_json, row.direct_target_tag_count, row.direct_target_root_count, row.delete_root_candidate_count, row.untag_only_root_count, row.fully_deletable_root_count, row.blocked_delete_root_count, row.protected_root_count).lastInsertRowid);
-            this.#database
-                .prepare(`
-            INSERT INTO cleanup_root_decisions(
-              cleanup_run_id,
-              scan_id,
-              digest,
-              selection_mode,
-              selection_reason,
-              validation_status,
-              validation_reason_code,
-              validation_reason,
-              blocking_digest,
-              overlap_digest
-            )
-            SELECT
-              ?,
-              ?,
-              digest,
-              selection_mode,
-              selection_reason,
-              validation_status,
-              validation_reason_code,
-              validation_reason,
-              blocking_digest,
-              overlap_digest
-            FROM ${attachName}.cleanup_root_decisions
-            WHERE cleanup_run_id = ?
-              AND scan_id = ?
-          `)
-                .run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
-            this.#database
-                .prepare(`
-            INSERT INTO cleanup_protected_root_blocks(
-              cleanup_run_id,
-              scan_id,
-              protected_digest,
-              blocked_digest,
-              block_reason_code,
-              overlap_digest
-            )
-            SELECT
-              ?,
-              ?,
-              protected_digest,
-              blocked_digest,
-              block_reason_code,
-              overlap_digest
-            FROM ${attachName}.cleanup_protected_root_blocks
-            WHERE cleanup_run_id = ?
-              AND scan_id = ?
-          `)
-                .run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
+            const cleanupRunId = Number(this.#insertCleanupRunStatement.run(targetScanId, row.cleanup_uuid, row.cleanup_started_at, row.github_actions_run_url, row.dry_run, row.planner_inputs_json, row.direct_target_tag_count, row.direct_target_root_count, row.delete_root_candidate_count, row.untag_only_root_count, row.fully_deletable_root_count, row.blocked_delete_root_count, row.protected_root_count).lastInsertRowid);
+            this.#copyRootDecisionsStatement(attachName).run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
+            this.#copySelectedTagsStatement(attachName).run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
+            this.#copyProtectedRootBlocksStatement(attachName).run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
             knownCleanupUuids.add(row.cleanup_uuid);
             importedCleanupRunCount += 1;
         }
         return importedCleanupRunCount;
     }
     listCleanupUuids(tableName, scanId) {
-        const rows = this.#database
-            .prepare(`
-          SELECT cleanup_uuid
-          FROM ${tableName}
-          WHERE scan_id = ?
-          ORDER BY cleanup_run_id
-        `)
-            .all(scanId);
+        const rows = this.#listCleanupUuidsStatement(tableName).all(scanId);
         return rows.map((row) => row.cleanup_uuid);
     }
+    #copyRootDecisionsStatement(attachName) {
+        const cached = this.#copyRootDecisionsStatementByAttachName.get(attachName);
+        if (cached) {
+            return cached;
+        }
+        const statement = this.#database.prepare(`
+      INSERT INTO cleanup_root_decisions(
+        cleanup_run_id,
+        scan_id,
+        digest,
+        selection_mode,
+        selection_reason,
+        validation_status,
+        validation_reason_code,
+        validation_reason,
+        blocking_digest,
+        overlap_digest
+      )
+      SELECT
+        ?,
+        ?,
+        digest,
+        selection_mode,
+        selection_reason,
+        validation_status,
+        validation_reason_code,
+        validation_reason,
+        blocking_digest,
+        overlap_digest
+      FROM ${attachName}.cleanup_root_decisions
+      WHERE cleanup_run_id = ?
+        AND scan_id = ?
+    `);
+        this.#copyRootDecisionsStatementByAttachName.set(attachName, statement);
+        return statement;
+    }
+    #copySelectedTagsStatement(attachName) {
+        const cached = this.#copySelectedTagsStatementByAttachName.get(attachName);
+        if (cached) {
+            return cached;
+        }
+        const statement = this.#database.prepare(`
+      INSERT INTO cleanup_selected_tags(
+        cleanup_run_id,
+        scan_id,
+        tag,
+        is_deleted
+      )
+      SELECT
+        ?,
+        ?,
+        tag,
+        is_deleted
+      FROM ${attachName}.cleanup_selected_tags
+      WHERE cleanup_run_id = ?
+        AND scan_id = ?
+    `);
+        this.#copySelectedTagsStatementByAttachName.set(attachName, statement);
+        return statement;
+    }
+    #copyProtectedRootBlocksStatement(attachName) {
+        const cached = this.#copyProtectedRootBlocksStatementByAttachName.get(attachName);
+        if (cached) {
+            return cached;
+        }
+        const statement = this.#database.prepare(`
+      INSERT INTO cleanup_protected_root_blocks(
+        cleanup_run_id,
+        scan_id,
+        protected_digest,
+        blocked_digest,
+        block_reason_code,
+        overlap_digest
+      )
+      SELECT
+        ?,
+        ?,
+        protected_digest,
+        blocked_digest,
+        block_reason_code,
+        overlap_digest
+      FROM ${attachName}.cleanup_protected_root_blocks
+      WHERE cleanup_run_id = ?
+        AND scan_id = ?
+    `);
+        this.#copyProtectedRootBlocksStatementByAttachName.set(attachName, statement);
+        return statement;
+    }
+    #listCleanupUuidsStatement(tableName) {
+        const cached = this.#listCleanupUuidsStatementByTableName.get(tableName);
+        if (cached) {
+            return cached;
+        }
+        const statement = this.#database.prepare(`
+      SELECT cleanup_uuid
+      FROM ${tableName}
+      WHERE scan_id = ?
+      ORDER BY cleanup_run_id
+    `);
+        this.#listCleanupUuidsStatementByTableName.set(tableName, statement);
+        return statement;
+    }
 }

package/dist/db/_db-merge-scan-copy.js

@@ -25,7 +25,7 @@ export class DbMergeScanCopy {
         const copySpecs = [
             "package_versions(scan_id, version_id, created_at, updated_at)",
             "package_version_payloads(scan_id, version_id, raw_json)",
-            "tags(scan_id, tag, version_id)",
+            "tags(scan_id, tag, version_id, is_digest_tag)",
             "manifests(scan_id, version_id, digest, media_type, artifact_type, config_media_type, subject_digest, annotations_json, platform_os, platform_architecture, platform_variant, manifest_kind)",
             "manifest_descriptors(scan_id, parent_digest, child_digest, media_type, artifact_type, platform_os, platform_architecture, platform_variant)",
             "manifest_payloads(scan_id, digest, raw_json)",

package/dist/db/_manifest-kind-refinement.d.ts

@@ -0,0 +1,2 @@
+import type Database from "better-sqlite3";
+export declare function refineManifestKinds(database: Database.Database, scanId: number): void;

package/dist/db/_manifest-kind-refinement.js

@@ -0,0 +1,43 @@
+import { ManifestKinds } from "../core/index.js";
+const _refineManifestKindsStatementByDatabase = new WeakMap();
+export function refineManifestKinds(database, scanId) {
+    _refineManifestKindsStatement(database).run(ManifestKinds.crossArchManifest, scanId, ManifestKinds.indexManifest);
+}
+function _refineManifestKindsStatement(database) {
+    const cached = _refineManifestKindsStatementByDatabase.get(database);
+    if (cached) {
+        return cached;
+    }
+    const statement = database.prepare(`
+    UPDATE manifests AS parent
+    SET manifest_kind = ?
+    WHERE parent.scan_id = ?
+      AND parent.manifest_kind = ?
+      AND parent.media_type IN (
+        'application/vnd.oci.image.index.v1+json',
+        'application/vnd.docker.distribution.manifest.list.v2+json'
+      )
+      AND NOT EXISTS (
+        SELECT 1
+        FROM tags helper_tag
+        WHERE helper_tag.scan_id = parent.scan_id
+          AND helper_tag.version_id = parent.version_id
+          AND helper_tag.is_digest_tag = 1
+      )
+      AND EXISTS (
+        SELECT 1
+        FROM manifest_descriptors descriptor
+        JOIN manifests child
+          ON child.scan_id = descriptor.scan_id
+         AND child.digest = descriptor.child_digest
+        WHERE descriptor.scan_id = parent.scan_id
+          AND descriptor.parent_digest = parent.digest
+          AND child.media_type IN (
+            'application/vnd.oci.image.manifest.v1+json',
+            'application/vnd.docker.distribution.manifest.v2+json'
+          )
+      )
+  `);
+    _refineManifestKindsStatementByDatabase.set(database, statement);
+    return statement;
+}

package/dist/db/_manifest-reachability.js

@@ -1,4 +1,5 @@
 export function rebuildManifestReachability(database, scanId) {
+    _refreshDigestTagEdges(database, scanId);
     const manifestDigests = _loadManifestDigests(database, scanId);
     const childDigestsByParent = new Map();
     const parentDigestsByChild = new Map();
@@ -70,6 +71,30 @@ export function rebuildManifestReachability(database, scanId) {
     });
     rebuild();
 }
+function _refreshDigestTagEdges(database, scanId) {
+    database.prepare("DELETE FROM manifest_edges WHERE scan_id = ? AND edge_kind = 'digest-tag-referrer'").run(scanId);
+    database
+        .prepare(`
+        INSERT OR IGNORE INTO manifest_edges(scan_id, parent_digest, child_digest, edge_kind)
+        SELECT
+          t.scan_id,
+          'sha256:' || SUBSTR(t.tag, 8, 64) AS parent_digest,
+          m.digest AS child_digest,
+          'digest-tag-referrer' AS edge_kind
+        FROM tags t
+        JOIN manifests m
+          ON m.scan_id = t.scan_id
+         AND m.version_id = t.version_id
+        JOIN manifests parent_manifest
+          ON parent_manifest.scan_id = t.scan_id
+         AND parent_manifest.digest = 'sha256:' || SUBSTR(t.tag, 8, 64)
+        WHERE t.scan_id = ?
+          AND t.tag LIKE 'sha256-%'
+          AND LENGTH(t.tag) >= 71
+          AND SUBSTR(t.tag, 8, 64) NOT GLOB '*[^0-9A-Fa-f]*'
+      `)
+        .run(scanId);
+}
 function _loadManifestDigests(database, scanId) {
     const rows = database
         .prepare("SELECT digest FROM manifests WHERE scan_id = ? ORDER BY digest")