feat(find-images): 4509 include archives in find image

[chaospuppy]

Description

This MR resolves #4577 by doing the following:

• Allow schema validation to succeed by removing findings related to an empty image list under imageArchives keys. Currently this finding is only removed when calling PackageDefinition from FindImages
• Add FindImagesInArchive to identify and return all images in imageArchives.path
• Update unit tests

Related Issue

Fixes #4577

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs ready!

Name	Link
🔨 Latest commit	c67b9be
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/69de69f570f9900008bf1d7f
😎 Deploy Preview	https://deploy-preview-4551--zarf-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[chaospuppy]

@AustinAbro321 when you have a moment, please take a look. I am still going to update a few unit tests.

[codecov]

Codecov Report

❌ Patch coverage is 56.65236% with 101 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/cmd/dev.go	0.00%	38 Missing ⚠️
src/pkg/packager/find_images.go	65.62%	15 Missing and 7 partials ⚠️
src/pkg/images/unpack.go	64.15%	12 Missing and 7 partials ⚠️
src/pkg/packager/update.go	76.47%	11 Missing and 5 partials ⚠️
src/pkg/images/common.go	40.00%	4 Missing and 2 partials ⚠️

Files with missing lines	Coverage Δ
src/pkg/packager/load/load.go	43.45% <ø> (ø)
src/pkg/images/common.go	35.87% <40.00%> (+0.34%)	⬆️
src/pkg/packager/update.go	56.91% <76.47%> (+8.95%)	⬆️
src/pkg/images/unpack.go	59.74% <64.15%> (+5.64%)	⬆️
src/pkg/packager/find_images.go	57.25% <65.62%> (+1.39%)	⬆️
src/cmd/dev.go	43.32% <0.00%> (-2.33%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AustinAbro321]

Good start! Thanks for taking this on

[AustinAbro321]

The extraction logic in this block is mostly duplicated. Lets make a common function to de-duplicate it

[chaospuppy]

Made a few changes with this in mind

[AustinAbro321]

I'd prefer a strategy where we create a function load.PackageDefinitionNoValidate() then also make a public function load.Validate(). Keep the load.PackageDefinition function this way validation happens by default.

I believe a public validate function could be generally useful for SDK users who might be creating packages without zarf.yaml files, additionally it'll leave more room in the future for more generic solutions if we need to skip validation for a similar reason

[chaospuppy]

I'm happy to make that split still, but our failure was while validating the file itself here, rather than during the validation of v1alpha1.ZarfPackage. Therefore, it wasn't useful for us to delay validation after adding a placeholder image as we previously discussed to the v1alpha1.ZarfPackage.

I could split them and then add some work to change the zarf.ymal on disk to add an empty array there, but that didn't seem like desirable behavior.

[chaospuppy]

Alternatively, I could also split out a Validate and ValidateWithoutSchemaValidation (not literally that name, but something like that) and use the later

[AustinAbro321]

I think matched images isn't the right construct. Maybe a new field should be added such as archiveImages. One of the goals of find-images is to be able to copy and paste the output into your zarf.yaml. Currently you'd see this output, which would result in trying to pull the image from the internet if you copied and pasted it

2026-01-27 16:38:42 INF looking up cosign artifacts for discovered images count=3

components:
  - name: kiwix-serve
    images:
      - docker.io/library/kiwix-data:local
      - ghcr.io/kiwix/kiwix-serve:3.5.0-2
      - kiwix-data:local

[chaospuppy]

I see, good point, I missed the desire to pull images from the image archive on disk after zarf.yaml has been updated with the output of zarf dev find-images. I'll fix that up!

[chaospuppy]

@AustinAbro321 to clarify, are you hoping to see images elements expressed in a such as way as to direct Zarf to pull them from the archive, rather than from the internet?

[chaospuppy]

Ah I missed your comment before asking, I think I see the answer in #4577

[AustinAbro321]

Just went back and clarified #4577 a bit, but just to write here as well, we should no longer include images because they're in an image archive. If they're in both a manifest we should check if the image archive contains that image, then in the output to the user structure it so it's in the image archive, and the user can simply copy and paste.

[AustinAbro321]

Hello @chaospuppy, I reazlied that the behavior I proposed in #4509, didn't really fit the zarf dev find-images command. However, there is still work to be done to get image archives to behave properly for zarf dev find-images. I've created #4577 to track this work. If you're interested, I believe this PR could be adjusted for that issue. LMK if you have any questions.

If you do adjust this PR for #4577, don't worry about validation, assume the given zarf.yaml file is valid

[chaospuppy]

@AustinAbro321 Are you thinking about handling validation differently in the near future? Trying to get an understanding for which changes I should back out. I am also happy to keep the validation changes in, including making Validation public and creating PackageDefinitionWithoutValidation.

[AustinAbro321]

@chaospuppy Very possibly handling validation in the near future yes. I suggest backing out of the validation changes in this PR

[chaospuppy]

I considered using v1alpha1.ZarfComponent.ImageArchive here, but thought perhaps there could be some divergence in the future. Let me know if you'd prefer the re-use of v1alpha1.ZarfComponent.ImageArchive

[AustinAbro321]

I think they are coupled in that if image archives were to change, we'd also want to change this block since ultimately we'd want to use the information here to update / print a package definition

[AustinAbro321]

Good progress. When running this locally on examples/kiwix I get

components:
  - name: kiwix-serve
    images:
      - ghcr.io/kiwix/kiwix-serve:3.5.0-2
      - kiwix-data:local
  # Archive images - kiwix-serve
  - name: kiwix-serve
    imageArchives:
      - path: kiwix-data.tar
        images: []

Whereas I'd expect

  - name: kiwix-serve
    images:
      - ghcr.io/kiwix/kiwix-serve:3.5.0-2
    imageArchives:
      - path: kiwix-data.tar
        images: 
         - kiwix-data:local

The kiwix-data:local is in the wrong spot, and they are printed as different components.

[AustinAbro321]

I think they are coupled in that if image archives were to change, we'd also want to change this block since ultimately we'd want to use the information here to update / print a package definition

[chaospuppy]

@AustinAbro321 I've resolved the duplicate components issue, thanks for spotting that. To your point about kiwix-data:local missing from imageArchives, I'm wondering how we want to handle that exactly. Since creating a tarball of an image tagged without a registry with docker save always results in an index.json io.containerd.image.name that is pre-pended with docker.io/library/, there is some ambiguity over if kiwix-data:local really does correspond to docker.io/library/kiwix-data:local found in the archive. The user could also be looking for ghcr.io/kiwix/kiwix-data:local, for example. Are do we also want to assume that images without registries in their references refer to docker.io/library images?

[AustinAbro321]

So a fun thing about containers is that if the registry is not specified then it's always assumed to be docker.io. Docker was the registry that popularized containers, so they made themselves the default. Generally the community wants to move away from this. IMO it would be a positive change if the find images command started returning the full path, so instead of kiwix-data:local, it'd return docker.io/library/kiwix-data:local. This should simplify things for you as well.

You should be able to use the transform.ParseImageRef library to get the qualified name.

[chaospuppy]

@AustinAbro321 updated to return qualified names for scan Matches. I did not do the same for PotentialMatches since if I understand the use case for PotentialMatches, we wouldn't want to push an image to the zarf registry from the archive that isn't actually used.

[AustinAbro321]

Good progress, some more requests as I go through

[AustinAbro321]

Requesting an architecture change. Appreciate the iterations

[AustinAbro321]

I'm thinking more about the architecture we're going with here. I'd like to see this function private and another abstract function introduced FindDefinitionImages. This function would return a struct like this, and would do the logic of filtering the images.

  type DefinitionImageResult struct {                                                                                                                           
      ComponentImageScan                                                                                                                                                
      ImageArchives []v1alpha1.ImageArchive
  }  

This should solve a few problems:

1. dev.go and UpdateImages will be simplified since all data will already be in one struct
2. when --why is used, we can just call the original Packager.FindImages, it's no longer order dependent in dev.go
3. We can introduce a private function packager.findImages which accepts a package definition. This way we only have to load the package once.

[chaospuppy]

I'm a little confused around FindDefinitionImages returning a struct like DefinitionImageResult. I'm thinking FindDefinitionImages would need to return a []DefinitionImageResult to that the rest of the logic in dev.go and UpdateImages can remain relatively unchanged. Is that right?

Aside from that, I'm also not totally certain I understand the situations in which we call packager.FindImages, packer.findImages, and packager.FindDefintionImages. My current idea is this:

• FindImages is only called if --why is set, in dev.go
• FindDefinitionImages is called if --why is not set, in dev.go
• findImages is called by both FindImages and FindDefinitionImages
• Both FindImages and FindDefintitionImages handle loading the package before passing it as an argument to findImages

Is that right?

[AustinAbro321]

Yes, I misspoke, it would return the struct. Your understanding and flow is correct