Add last.patched timestamp

Signed-off-by: robert-cronin <[email protected]>

Author: robert-cronin

integration/multiarch/patch_test.go

@@ -387,10 +387,8 @@ func verifyAnnotations(t *testing.T, patchedRef string, platforms []string, repo
 	err = json.Unmarshal(out, &manifest)
 	require.NoError(t, err, "failed to parse manifest JSON")
 
-	// Check index-level annotations (Copa metadata)
+	// Check index-level annotations
 	assert.NotEmpty(t, manifest.Annotations, "index-level annotations should not be empty")
-	assert.Equal(t, "true", manifest.Annotations["sh.copa.patched"], "should have Copa patched annotation")
-	assert.NotEmpty(t, manifest.Annotations["sh.copa.patched.timestamp"], "should have Copa timestamp annotation")
 	assert.NotEmpty(t, manifest.Annotations["org.opencontainers.image.created"], "should have created annotation")
 
 	t.Logf("found %d index-level annotations", len(manifest.Annotations))
@@ -411,6 +409,12 @@ func verifyAnnotations(t *testing.T, patchedRef string, platforms []string, repo
 				t.Logf("platform %s has updated created timestamp: %s", platformStr, createdTime)
 			}
 
+			// Check for Copa last.patched annotation on patched platforms
+			lastPatched, exists := manifestEntry.Annotations["sh.copa.last.patched"]
+			assert.True(t, exists, "patched platform %s should have sh.copa.last.patched annotation", platformStr)
+			assert.NotEmpty(t, lastPatched, "sh.copa.last.patched timestamp should not be empty for patched platform %s", platformStr)
+			t.Logf("platform %s has Copa last.patched timestamp: %s", platformStr, lastPatched)
+
 			t.Logf("platform %s has %d manifest-level annotations", platformStr, len(manifestEntry.Annotations))
 
 			// Verify that ALL original annotations are preserved
@@ -446,7 +450,11 @@ func verifyAnnotations(t *testing.T, patchedRef string, platforms []string, repo
 
 			t.Logf("verified %d original annotations are preserved for platform %s", len(originalAnnotations), platformStr)
 		} else {
-			t.Logf("skipping platform %s (no vulnerability report, not patched)", platformStr)
+			t.Logf("checking platform %s (no vulnerability report, not patched)", platformStr)
+			
+			// Non-patched platforms should NOT have the Copa last.patched annotation
+			_, exists := manifestEntry.Annotations["sh.copa.last.patched"]
+			assert.False(t, exists, "non-patched platform %s should not have sh.copa.last.patched annotation", platformStr)
 		}
 	}
 }

pkg/patch/patch.go

@@ -52,7 +52,6 @@ const (
 	defaultRegistry         = "docker.io"
 	defaultTag              = "latest"
 	LINUX                   = "linux"
-	trueString              = "true"
 	ARM64                   = "arm64"
 	copaAnnotationKeyPrefix = "sh.copa"
 )
@@ -156,19 +155,6 @@ func createMultiPlatformManifest(
 				}
 			}
 
-			// add a custom annotation to indicate this image was patched by Copa
-			patchedKey := exptypes.AnnotationKey{
-				Type: exptypes.AnnotationIndex,
-				Key:  copaAnnotationKeyPrefix + ".patched",
-			}
-			annotations[patchedKey] = trueString
-
-			patchedTimestampKey := exptypes.AnnotationKey{
-				Type: exptypes.AnnotationIndex,
-				Key:  copaAnnotationKeyPrefix + ".patched.timestamp",
-			}
-			annotations[patchedTimestampKey] = time.Now().UTC().Format(time.RFC3339)
-
 			log.Debugf("Preserving %d annotations from original image", len(annotations))
 		} else {
 			log.Info("No annotations found in original image, adding Copa annotations only")
@@ -178,18 +164,6 @@ func createMultiPlatformManifest(
 				Key:  "org.opencontainers.image.created",
 			}
 			annotations[createdKey] = time.Now().UTC().Format(time.RFC3339)
-
-			patchedKey := exptypes.AnnotationKey{
-				Type: exptypes.AnnotationIndex,
-				Key:  copaAnnotationKeyPrefix + ".patched",
-			}
-			annotations[patchedKey] = trueString
-
-			patchedTimestampKey := exptypes.AnnotationKey{
-				Type: exptypes.AnnotationIndex,
-				Key:  copaAnnotationKeyPrefix + ".patched.timestamp",
-			}
-			annotations[patchedTimestampKey] = time.Now().UTC().Format(time.RFC3339)
 		}
 	}
 
@@ -494,6 +468,7 @@ func patchSingleArchImage(
 	// determine which attributes to set for the export
 	attrs := map[string]string{
 		"name": patchedImageName,
+		"annotation." + copaAnnotationKeyPrefix + ".last.patched": time.Now().UTC().Format(time.RFC3339),
 	}
 	if shouldExportOCI {
 		attrs["oci-mediatypes"] = "true"