Made the image digest exporter report image digest if there is only one image.

Currently the image digest exporter does not implemented the behavior described
in the resources doc, which says "if there are multiple versions of the image,
the latest will be used." Instead, it reports the digest of `index.json`, which
is an image index. This behavior introduces a usability issue: one of the major
public container registry --- dockerhub --- does not support OCI image indices,
and there are very few tools (if any) that support converting OCI image indices
to docker manifest lists. Skopeo currently only support pushing an OCI image
index that contain only one image. If the index has more than one images, it
requires the user to specify one:
containers/skopeo#107
containers/image#400

Essentially, these limitations make the image digest exporter useless. To make
this feature useful, the exporter could instead implement the following behavior:

1. If there is only one image in `index.json`, report the image's digest.

2. If there are multiple images, report the digest of the full index.

The advantage of this behavior is that, we can immediately use it (in conjunction
of GoogleContainerTools/kaniko#744), yet if multi-image
manifests are more widely supported, the image digest exporter can still support
that without any modification.

Author: chhsia0

cmd/imagedigestexporter/main.go

@@ -22,6 +22,7 @@ import (
 	"log"
 	"os"
 
+	"github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	v1alpha1 "github.com/tektoncd/pipeline/pkg/apis/pipeline/v1alpha1"
 )
@@ -55,9 +56,19 @@ func main() {
 			log.Printf("ImageResource %s doesn't have an index.json file: %s", imageResource.Name, err)
 			continue
 		}
-		digest, err := ii.Digest()
+		// If there is only one image in the index, report the digest of the image; otherwise, report the digest of the whole index.
+		digest, err := func() (v1.Hash, error) {
+			im, err := ii.IndexManifest()
+			if err != nil {
+				return v1.Hash{}, err
+			}
+			if len(im.Manifests) == 1 {
+				return im.Manifests[0].Digest, nil
+			}
+			return ii.Digest()
+		}()
 		if err != nil {
-			log.Fatalf("Unexpected error getting image digest %v: %v", imageResource, err)
+			log.Fatalf("Unexpected error getting image digest for %s: %v", imageResource.Name, err)
 		}
 		output = append(output, v1alpha1.PipelineResourceResult{Name: imageResource.Name, Digest: digest.String()})
 	}

docs/resources.md

@@ -445,9 +445,9 @@ To surface the image digest in the output of the `taskRun` the builder tool
 should produce this information in a
 [OCI Image Spec](https://github.com/opencontainers/image-spec/blob/master/image-layout.md)
 `index.json` file. This file should be placed on a location as specified in the
-task definition under the resource `outputImageDir`. Annotations in `index.json`
-will be ignored, and if there are multiple versions of the image, the latest
-will be used.
+task definition under the resource `outputImageDir`. If there is only one image
+in the `index.json` file, the digest of that image is exported; otherwise, the
+digest of the whole image index would be exported.
 
 For example this build-push task defines the `outputImageDir` for the
 `builtImage` resource in `/workspace/buildImage`