Test

.github/.codecov.yml → .github/codecov.yml

@@ -15,5 +15,5 @@ coverage:
   status:
     project:
       default:
-        target: 70%
+        target: 80%
         if_ci_failed: error

.github/workflows/build.yml

@@ -15,20 +15,24 @@ name: build
 
 on:
   push:
-    branches: main
+    branches: 
+      - main
+      - release-*
   pull_request:
-    branches: main
+    branches:
+      - main
+      - release-*
 
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: ['1.19', '1.20']
+        go-version: ['1.20', '1.21']
       fail-fast: true
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Go ${{ matrix.go-version }} environment
         uses: actions/setup-go@v4
         with:

.github/workflows/codeql-analysis.yml

@@ -15,9 +15,13 @@ name: CodeQL
 
 on:
   push:
-    branches: main
+    branches:
+      - main
+      - release-*
   pull_request:
-    branches: main
+    branches:
+      - main
+      - release-*
   schedule:
     - cron: '34 13 * * 3'
 
@@ -31,11 +35,11 @@ jobs:
       security-events: write
     strategy:
       matrix:
-        go-version: ['1.19', '1.20']
+        go-version: ['1.20', '1.21']
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Go ${{ matrix.go-version }} environment
         uses: actions/setup-go@v4
         with:

.github/workflows/license-checker.yml

@@ -15,9 +15,13 @@ name: License Checker
 
 on:
   push:
-    branches: main
+    branches:
+      - main
+      - release-*
   pull_request:
-    branches: main
+    branches:
+      - main
+      - release-*
 
 permissions:
   contents: write
@@ -28,13 +32,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Check license header
-        uses: apache/skywalking-eyes/header@v0.4.0
+        uses: apache/skywalking-eyes/header@v0.5.0
         with:
           mode: check
           config: .github/licenserc.yml
       - name: Check dependencies license
-        uses: apache/skywalking-eyes/dependency@v0.4.0
+        uses: apache/skywalking-eyes/dependency@v0.5.0
         with:
           config: .github/licenserc.yml

README.md

@@ -19,6 +19,9 @@ The ORAS Go library follows [Semantic Versioning](https://semver.org/), where br
 
 The version `2` is actively developed in the [`main`](https://github.com/oras-project/oras-go/tree/main) branch with all new features.
 
+> [!Note]
+> The `main` branch follows [Go's Security Policy](https://github.com/golang/go/security/policy) and supports the two latest versions of Go (currently `1.20` and `1.21`).
+
 Examples for common use cases can be found below:
 
 - [Copy examples](https://pkg.go.dev/oras.land/oras-go/v2#pkg-examples)

SECURITY.md

@@ -0,0 +1,3 @@
+# Security Policy
+
+Please follow the [security policy](https://oras.land/docs/community/reporting_security_concerns) to report a security vulnerability or concern.

content.go

@@ -29,7 +29,6 @@ import (
 	"oras.land/oras-go/v2/internal/docker"
 	"oras.land/oras-go/v2/internal/interfaces"
 	"oras.land/oras-go/v2/internal/platform"
-	"oras.land/oras-go/v2/internal/registryutil"
 	"oras.land/oras-go/v2/internal/syncutil"
 	"oras.land/oras-go/v2/registry"
 	"oras.land/oras-go/v2/registry/remote/auth"
@@ -91,7 +90,7 @@ func TagN(ctx context.Context, target Target, srcReference string, dstReferences
 			if err != nil {
 				return ocispec.Descriptor{}, err
 			}
-			ctx = registryutil.WithScopeHint(ctx, ref, auth.ActionPull, auth.ActionPush)
+			ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush)
 		}
 
 		desc, contentBytes, err := FetchBytes(ctx, target, srcReference, FetchBytesOptions{
@@ -149,7 +148,7 @@ func Tag(ctx context.Context, target Target, src, dst string) (ocispec.Descripto
 			if err != nil {
 				return ocispec.Descriptor{}, err
 			}
-			ctx = registryutil.WithScopeHint(ctx, ref, auth.ActionPull, auth.ActionPush)
+			ctx = auth.AppendRepositoryScope(ctx, ref, auth.ActionPull, auth.ActionPush)
 		}
 		desc, rc, err := refFetcher.FetchReference(ctx, src)
 		if err != nil {

content/graph.go

@@ -75,18 +75,33 @@ func Successors(ctx context.Context, fetcher Fetcher, node ocispec.Descriptor) (
 		}
 		nodes = append(nodes, manifest.Config)
 		return append(nodes, manifest.Layers...), nil
-	case docker.MediaTypeManifestList, ocispec.MediaTypeImageIndex:
+	case docker.MediaTypeManifestList:
 		content, err := FetchAll(ctx, fetcher, node)
 		if err != nil {
 			return nil, err
 		}
 
-		// docker manifest list and oci index are equivalent for successors.
+		// OCI manifest index schema can be used to marshal docker manifest list
 		var index ocispec.Index
 		if err := json.Unmarshal(content, &index); err != nil {
 			return nil, err
 		}
 		return index.Manifests, nil
+	case ocispec.MediaTypeImageIndex:
+		content, err := FetchAll(ctx, fetcher, node)
+		if err != nil {
+			return nil, err
+		}
+
+		var index ocispec.Index
+		if err := json.Unmarshal(content, &index); err != nil {
+			return nil, err
+		}
+		var nodes []ocispec.Descriptor
+		if index.Subject != nil {
+			nodes = append(nodes, *index.Subject)
+		}
+		return append(nodes, index.Manifests...), nil
 	case spec.MediaTypeArtifactManifest:
 		content, err := FetchAll(ctx, fetcher, node)
 		if err != nil {