fix(docker): add OCI header for GHCR (#503)

service/latest_version/filter/docker.go

@@ -220,18 +220,24 @@ func (r *Require) DockerTagCheck(
 		return fmt.Errorf("%s:%s - %w",
 			r.Docker.Image, tag, err)
 	}
+
+	req, _ := http.NewRequest(http.MethodGet, "", nil)
 	switch r.Docker.GetType() {
 	case "hub":
 		url = fmt.Sprintf("https://registry.hub.docker.com/v2/repositories/%s/tags/%s",
 			r.Docker.Image, tag)
 	case "ghcr":
 		url = fmt.Sprintf("https://ghcr.io/v2/%s/manifests/%s",
 			r.Docker.Image, tag)
+		req.Header.Set("Accept", "application/vnd.oci.image.index.v1+json")
 	case "quay":
 		url = fmt.Sprintf("https://quay.io/api/v1/repository/%s/tag/?onlyActiveTags=true&specificTag=%s",
 			r.Docker.Image, tag)
 	}
-	req, _ := http.NewRequest(http.MethodGet, url, nil)
+	//#nosec G104 -- URL verified in CheckValues.
+	//nolint:errcheck // ^
+	parsedURL, _ := net_url.Parse(url)
+	req.URL = parsedURL
 	if queryToken != "" {
 		req.Header.Set("Authorization", "Bearer "+queryToken)
 	}
@@ -278,26 +284,33 @@ func (d *DockerCheck) CheckValues(prefix string) error {
 			prefix, strings.Join(dockerCheckTypes, ",")))
 	}
 
-	if d.Image == "" {
+	// Image
+	switch {
+	case d.Image == "":
 		errs = append(errs, fmt.Errorf("%simage: <required> (image to check tags for)",
 			prefix))
-	} else {
-		// invalid image.
-		if !util.RegexCheck(`^[\w\-\.\/]+$`, d.Image) {
-			errs = append(errs, fmt.Errorf("%simage: %q <invalid> (non-ASCII)",
-				prefix, d.Image))
-			// e.g. prometheus = library/prometheus on the docker hub api.
-		} else if d.Type == "hub" && strings.Count(d.Image, "/") == 0 {
-			d.Image = fmt.Sprintf("library/%s", d.Image)
-		}
-	}
-
-	if d.Tag == "" {
+		// Invalid image.
+	case !util.RegexCheck(`^[\w\-\.\/]+$`, d.Image):
+		errs = append(errs, fmt.Errorf("%simage: %q <invalid> (non-ASCII)",
+			prefix, d.Image))
+		// e.g. prometheus = library/prometheus on the docker hub api.
+	case d.Type == "hub" && strings.Count(d.Image, "/") == 0:
+		d.Image = fmt.Sprintf("library/%s", d.Image)
+	}
+
+	// Tag
+	switch {
+	case d.Tag == "":
 		errs = append(errs, fmt.Errorf("%stag: <required> (tag of image to check for existence)",
 			prefix))
-	} else if !util.CheckTemplate(d.Tag) {
+	case !util.CheckTemplate(d.Tag):
 		errs = append(errs, fmt.Errorf("%stag: %q <invalid> (didn't pass templating)",
 			prefix, d.Tag))
+	default:
+		if _, err := net_url.Parse(fmt.Sprintf("https://example.com/%s", d.Tag)); err != nil {
+			errs = append(errs, fmt.Errorf("%stag: %q <invalid> (invalid for URL formatting)",
+				prefix, d.Tag))
+		}
 	}
 
 	if err := d.checkToken(); err != nil {
@@ -328,8 +341,8 @@ func (d *DockerCheck) checkToken() error {
 		} else if username == "" && token != "" {
 			return fmt.Errorf("username: <required> (token is for who?)")
 		}
-	case "quay":
-	case "ghcr":
+	case "quay", "ghcr":
+		// Token not required.
 	}
 
 	return nil

service/latest_version/filter/docker_test.go

@@ -1609,6 +1609,17 @@ func TestRequire_DockerTagCheck(t *testing.T) {
 				"", time.Now(), nil),
 			errRegex: `^$`,
 		},
+		"GHCR - OCI Index header": {
+			onlyIfEnvToken: true,
+			dockerCheck: NewDockerCheck(
+				"ghcr",
+				"immich-app/immich-server",
+				"v1.118.1",
+				"",
+				os.Getenv("GH_TOKEN"),
+				"", time.Now(), nil),
+			errRegex: `^$`,
+		},
 		"Quay with no token, valid tag": {
 			dockerCheck: NewDockerCheck(
 				"quay",
@@ -1881,6 +1892,14 @@ func TestDockerCheck_CheckValues(t *testing.T) {
 				"{{ version }",
 				"", "", "", time.Now(), nil),
 		},
+		"invalid tag url encoding": {
+			errRegex: `^tag: .* <invalid>.*$`,
+			dockerCheck: NewDockerCheck(
+				"hub",
+				"release-argus/argus",
+				"1.2	.3+",
+				"", "", "", time.Now(), nil),
+		},
 		"valid Type with image and tag": {
 			errRegex: `^$`,
 			dockerCheck: NewDockerCheck(