feat(find-images): 4509 include archives in find image

[chaospuppy]

Description

This MR resolves #4577 by doing the following:

• Allow schema validation to succeed by removing findings related to an empty image list under imageArchives keys. Currently this finding is only removed when calling PackageDefinition from FindImages
• Add FindImagesInArchive to identify and return all images in imageArchives.path
• Update unit tests

Related Issue

Fixes #4577

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs ready!

Name	Link
🔨 Latest commit	439a463
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/69ec06f511d0680008ccbe2c
😎 Deploy Preview	https://deploy-preview-4551--zarf-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[chaospuppy]

@AustinAbro321 when you have a moment, please take a look. I am still going to update a few unit tests.

[codecov]

Codecov Report

❌ Patch coverage is 56.83761% with 101 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/cmd/dev.go	0.00%	38 Missing ⚠️
src/pkg/packager/find_images.go	67.56%	16 Missing and 8 partials ⚠️
src/pkg/images/unpack.go	64.15%	12 Missing and 7 partials ⚠️
src/pkg/packager/update.go	76.27%	9 Missing and 5 partials ⚠️
src/pkg/images/common.go	40.00%	4 Missing and 2 partials ⚠️

Files with missing lines	Coverage Δ
src/pkg/packager/load/load.go	43.02% <ø> (ø)
src/pkg/images/common.go	35.87% <40.00%> (+0.34%)	⬆️
src/pkg/packager/update.go	55.55% <76.27%> (+7.59%)	⬆️
src/pkg/images/unpack.go	59.74% <64.15%> (+5.64%)	⬆️
src/pkg/packager/find_images.go	57.98% <67.56%> (+2.36%)	⬆️
src/cmd/dev.go	44.02% <0.00%> (-1.79%)	⬇️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AustinAbro321]

Good start! Thanks for taking this on

[AustinAbro321]

The extraction logic in this block is mostly duplicated. Lets make a common function to de-duplicate it

[chaospuppy]

Made a few changes with this in mind

[AustinAbro321]

I'd prefer a strategy where we create a function load.PackageDefinitionNoValidate() then also make a public function load.Validate(). Keep the load.PackageDefinition function this way validation happens by default.

I believe a public validate function could be generally useful for SDK users who might be creating packages without zarf.yaml files, additionally it'll leave more room in the future for more generic solutions if we need to skip validation for a similar reason

[chaospuppy]

I'm happy to make that split still, but our failure was while validating the file itself here, rather than during the validation of v1alpha1.ZarfPackage. Therefore, it wasn't useful for us to delay validation after adding a placeholder image as we previously discussed to the v1alpha1.ZarfPackage.

I could split them and then add some work to change the zarf.ymal on disk to add an empty array there, but that didn't seem like desirable behavior.

[chaospuppy]

Alternatively, I could also split out a Validate and ValidateWithoutSchemaValidation (not literally that name, but something like that) and use the later

[AustinAbro321]

I think matched images isn't the right construct. Maybe a new field should be added such as archiveImages. One of the goals of find-images is to be able to copy and paste the output into your zarf.yaml. Currently you'd see this output, which would result in trying to pull the image from the internet if you copied and pasted it

2026-01-27 16:38:42 INF looking up cosign artifacts for discovered images count=3

components:
  - name: kiwix-serve
    images:
      - docker.io/library/kiwix-data:local
      - ghcr.io/kiwix/kiwix-serve:3.5.0-2
      - kiwix-data:local

[chaospuppy]

I see, good point, I missed the desire to pull images from the image archive on disk after zarf.yaml has been updated with the output of zarf dev find-images. I'll fix that up!

[chaospuppy]

@AustinAbro321 to clarify, are you hoping to see images elements expressed in a such as way as to direct Zarf to pull them from the archive, rather than from the internet?

[chaospuppy]

Ah I missed your comment before asking, I think I see the answer in #4577

[AustinAbro321]

Just went back and clarified #4577 a bit, but just to write here as well, we should no longer include images because they're in an image archive. If they're in both a manifest we should check if the image archive contains that image, then in the output to the user structure it so it's in the image archive, and the user can simply copy and paste.

[AustinAbro321]

Hello @chaospuppy, I reazlied that the behavior I proposed in #4509, didn't really fit the zarf dev find-images command. However, there is still work to be done to get image archives to behave properly for zarf dev find-images. I've created #4577 to track this work. If you're interested, I believe this PR could be adjusted for that issue. LMK if you have any questions.

If you do adjust this PR for #4577, don't worry about validation, assume the given zarf.yaml file is valid

[chaospuppy]

@AustinAbro321 Are you thinking about handling validation differently in the near future? Trying to get an understanding for which changes I should back out. I am also happy to keep the validation changes in, including making Validation public and creating PackageDefinitionWithoutValidation.

[AustinAbro321]

@chaospuppy Very possibly handling validation in the near future yes. I suggest backing out of the validation changes in this PR

[AustinAbro321]

Good progress. When running this locally on examples/kiwix I get

components:
  - name: kiwix-serve
    images:
      - ghcr.io/kiwix/kiwix-serve:3.5.0-2
      - kiwix-data:local
  # Archive images - kiwix-serve
  - name: kiwix-serve
    imageArchives:
      - path: kiwix-data.tar
        images: []

Whereas I'd expect

  - name: kiwix-serve
    images:
      - ghcr.io/kiwix/kiwix-serve:3.5.0-2
    imageArchives:
      - path: kiwix-data.tar
        images: 
         - kiwix-data:local

The kiwix-data:local is in the wrong spot, and they are printed as different components.

[AustinAbro321]

I think they are coupled in that if image archives were to change, we'd also want to change this block since ultimately we'd want to use the information here to update / print a package definition

[chaospuppy]

@AustinAbro321 I've resolved the duplicate components issue, thanks for spotting that. To your point about kiwix-data:local missing from imageArchives, I'm wondering how we want to handle that exactly. Since creating a tarball of an image tagged without a registry with docker save always results in an index.json io.containerd.image.name that is pre-pended with docker.io/library/, there is some ambiguity over if kiwix-data:local really does correspond to docker.io/library/kiwix-data:local found in the archive. The user could also be looking for ghcr.io/kiwix/kiwix-data:local, for example. Are do we also want to assume that images without registries in their references refer to docker.io/library images?

[AustinAbro321]

So a fun thing about containers is that if the registry is not specified then it's always assumed to be docker.io. Docker was the registry that popularized containers, so they made themselves the default. Generally the community wants to move away from this. IMO it would be a positive change if the find images command started returning the full path, so instead of kiwix-data:local, it'd return docker.io/library/kiwix-data:local. This should simplify things for you as well.

You should be able to use the transform.ParseImageRef library to get the qualified name.

[chaospuppy]

@AustinAbro321 updated to return qualified names for scan Matches. I did not do the same for PotentialMatches since if I understand the use case for PotentialMatches, we wouldn't want to push an image to the zarf registry from the archive that isn't actually used.

[AustinAbro321]

Good progress, some more requests as I go through

[AustinAbro321]

Requesting an architecture change. Appreciate the iterations

[chaospuppy]

I considered excluding results that were only populated with ComponentName.

[AustinAbro321]

I think it's fine to assume findImages won't return empty scans

[AustinAbro321]

The architecture is shaping up, a few more comments

[AustinAbro321]

You need to pass all of the relevant loadOptions here

[AustinAbro321]

This part needs to be outside of the loop so it works for multiple image archives in the same component

[AustinAbro321]

Suggested change

	archivePath := path.Join(pkgPath.BaseDir, archive.Path)
	archivePath := filepath.Join(pkgPath.BaseDir, archive.Path)

path is used for consistent separators, where filepath changes the separator depending on the OS so we want the latter here

[AustinAbro321]

I think it's fine to assume findImages won't return empty scans