fix(release): accept Docker OCI attestations and xAI reasoning defaults

scripts/verify-docker-attestations.mjs

@@ -4,6 +4,11 @@ import { execFileSync } from "node:child_process";
 import process from "node:process";
 
 const ATTESTATION_REFERENCE_TYPE = "attestation-manifest";
+const ATTESTATION_ARTIFACT_TYPE = "application/vnd.docker.attestation.manifest.v1+json";
+const ATTESTATION_MANIFEST_MEDIA_TYPES = new Set([
+  "application/vnd.docker.distribution.manifest.v2+json",
+  "application/vnd.oci.image.manifest.v1+json",
+]);
 const REQUIRED_PREDICATES = ["https://spdx.dev/Document", "https://slsa.dev/provenance/v1"];
 
 export function imageRefForDigest(imageRef, digest) {
@@ -39,6 +44,13 @@ function platformMatches(actual, expected) {
   );
 }
 
+function isAttestationManifest(attestation) {
+  if (attestation?.artifactType !== undefined) {
+    return attestation.artifactType === ATTESTATION_ARTIFACT_TYPE;
+  }
+  return ATTESTATION_MANIFEST_MEDIA_TYPES.has(attestation?.mediaType);
+}
+
 function parseJson(raw, label) {
   try {
     return JSON.parse(raw);
@@ -85,11 +97,11 @@ export function collectDockerAttestationErrors(params) {
     const predicates = new Set();
     for (const descriptor of attestationDescriptors) {
       const attestation = inspectAttestation(descriptor.digest);
-      if (attestation?.artifactType !== "application/vnd.docker.attestation.manifest.v1+json") {
+      if (!isAttestationManifest(attestation)) {
         errors.push(
-          `${imageRef}: ${platformLabel} attestation ${descriptor.digest} has unexpected artifactType ${JSON.stringify(
+          `${imageRef}: ${platformLabel} attestation ${descriptor.digest} has unexpected manifest shape artifactType=${JSON.stringify(
             attestation?.artifactType,
-          )}`,
+          )} mediaType=${JSON.stringify(attestation?.mediaType)}`,
         );
       }
       for (const layer of attestation?.layers ?? []) {