fix: pinning is broken (#200)

oci/private/BUILD.bazel

@@ -53,6 +53,7 @@ bzl_library(
         "@aspect_bazel_lib//lib:base64",
         "@aspect_bazel_lib//lib:paths",
         "@aspect_bazel_lib//lib:repo_utils",
+        "@bazel_skylib//lib:dicts",
     ],
 )
 

oci/private/pull.bzl

@@ -2,9 +2,11 @@
 
 load("@aspect_bazel_lib//lib:paths.bzl", "BASH_RLOCATION_FUNCTION")
 load("@aspect_bazel_lib//lib:base64.bzl", "base64")
+load("@bazel_skylib//lib:dicts.bzl", "dicts")
 load("//oci/private:download.bzl", "download")
 
-_ATTRS = {
+# attributes that are specific to image reference url. shared between multiple targets
+_IMAGE_REFERENCE_ATTRS = {
     "scheme": attr.string(
         doc = "scheme portion of the URL for fetching from the registry",
         values = ["http", "https"],
@@ -22,13 +24,6 @@ _ATTRS = {
         doc = "The digest or tag of the manifest file",
         mandatory = True,
     ),
-    "platform": attr.string(
-        doc = "A single platform in `os/arch` format, for multi-arch images",
-    ),
-    "target_name": attr.string(
-        doc = "Name given for the image target, e.g. 'image'",
-        mandatory = True,
-    ),
     "config": attr.label(
         doc = "Label to a .docker/config.json file. by default this is generated by oci_auth_config in oci_register_toolchains macro.",
         default = "@oci_auth_config//:config.json",
@@ -446,7 +441,18 @@ def _oci_pull_impl(rctx):
 
 oci_pull = repository_rule(
     implementation = _oci_pull_impl,
-    attrs = _ATTRS,
+    attrs = dicts.add(
+        _IMAGE_REFERENCE_ATTRS,
+        {
+            "platform": attr.string(
+                doc = "A single platform in `os/arch` format, for multi-arch images",
+            ),
+            "target_name": attr.string(
+                doc = "Name given for the image target, e.g. 'image'",
+                mandatory = True,
+            ),
+        },
+    ),
 )
 
 _alias_target = """\
@@ -530,7 +536,7 @@ echo ")"
 def _pin_tag_impl(rctx):
     """Download the tag and create a repository that can produce pinning instructions"""
     downloader = _create_downloader(rctx)
-    downloader.download_manifest(rctx.attr.tag, "manifest_list.json")
+    downloader.download_manifest(rctx.attr.identifier, "manifest_list.json")
     result = rctx.execute(["shasum", "-a", "256", "manifest_list.json"])
     if result.return_code:
         msg = "shasum failed: \nSTDOUT:\n%s\nSTDERR:\n%s" % (result.stdout, result.stderr)
@@ -548,11 +554,7 @@ def _pin_tag_impl(rctx):
 
 pin_tag = repository_rule(
     _pin_tag_impl,
-    attrs = {
-        "image": attr.string(doc = "The name of the image we are fetching, e.g. `gcr.io/distroless/static`", mandatory = True),
-        "tag": attr.string(doc = "The tag being used, e.g. `latest`", mandatory = True),
-        "config": attr.label(doc = "Label to a .docker/config.json file. by default this is generated by oci_auth_config in oci_register_toolchains macro.", default = "@oci_auth_config//:config.json"),
-    },
+    attrs = _IMAGE_REFERENCE_ATTRS,
 )
 
 lib = struct(

oci/pull.bzl

@@ -107,7 +107,13 @@ def oci_pull(name, image = None, repository = None, registry = None, platforms =
         fail("One of 'digest' or 'tag' must be set")
 
     if tag and reproducible:
-        pin_tag(name = name + "_unpinned", image = image, tag = tag)
+        pin_tag(
+            name = name + "_unpinned",
+            scheme = scheme,
+            registry = registry,
+            repository = repository,
+            identifier = digest or tag,
+        )
 
         # Print a command - in the future we should print a buildozer command or
         # buildifier: disable=print