OPSEXP-2764 Avoid manifest not found when pulling via sha digest on quay.io

.github/workflows/main.yml

@@ -59,6 +59,7 @@ jobs:
             echo "image_labels=quay.expires-after=2w" >> $GITHUB_OUTPUT
           fi
           echo "image_created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "timestamp=$(date -u +'%Y%m%d%H%M')" >> $GITHUB_OUTPUT
 
       - name: Login to quay.io
         if: github.actor != 'dependabot[bot]'
@@ -122,10 +123,20 @@ jobs:
           provenance: false
           target: JAVA_BASE_IMAGE
 
-      - name: Push Image to docker.io
+      - name: Push additional timestamped tag to quay.io
         if: github.ref_name == 'master'
         env:
           SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}
-          DST_IMAGE: ${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}
+          DST_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}-${{ steps.vars.outputs.timestamp }}
         run: |
           docker buildx imagetools create ${{ env.SRC_IMAGE }} -t ${{ env.DST_IMAGE }}
+
+      - name: Push images to docker.io
+        if: github.ref_name == 'master'
+        env:
+          SRC_IMAGE: quay.io/${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}
+          DST_IMAGE: ${{ env.IMAGE_REGISTRY_NAMESPACE }}/${{ env.IMAGE_REPOSITORY }}:${{ steps.vars.outputs.image_tag }}
+        run: >-
+          docker buildx imagetools create ${{ env.SRC_IMAGE }}
+          -t ${{ env.DST_IMAGE }}
+          -t ${{ env.DST_IMAGE }}-${{ steps.vars.outputs.timestamp }}

Dockerfile

@@ -7,9 +7,9 @@ FROM rockylinux:8.8 AS rockylinux8
 ARG JDIST
 ARG JAVA_MAJOR
 
-ENV JAVA_HOME /etc/alternatives/jre
-ENV LANG C.UTF-8
-ENV LC_ALL C.UTF-8
+ENV JAVA_HOME=/etc/alternatives/jre
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
 
 RUN \
   yum update --security -y && \

README.md

@@ -28,6 +28,8 @@ The images are available on:
 To ensure the propagation of security fixes from upstream projects, all
 supported tags are mutable and undergo periodic rebuilding.
 
+#### Pin by digest
+
 The suggested approach is to pin the sha256 digest for best reproducibility in
 your `Dockerfile`, for example:
 
@@ -53,6 +55,17 @@ alfresco/alfresco-base-java   jre17-rockylinux9   sha256:b749868ceb42bd6f58ae2f1
 
 This configuration approach is compatible with [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#docker).
 
+#### Pin by immutable tags
+
+Additional tags are being pushed for master releases, following the pattern
+`$tag-YYMMDDHHMM`. Those tags are never overwritten and can be used as a more
+intuitive approach. You can still use it in combination with digest for
+increased security.
+
+> Quay.io doesn't retain previous images when a tag is overwritten, so using an
+> immutable tag is mandatory in order to avoid getting `Manifest not found`
+> error once a mutable tag get updated.
+
 ## Development
 
 While any docker installation will produce valid images, building with