From 2c24ca2ef84130e8a8aeeeb3c7ec6f53882b3bfd Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Fri, 15 May 2026 09:17:12 +1000
Subject: [PATCH 1/4] UID2-7041: add Set up Docker Buildx step to Java workflow

push-by-digest=true is only implemented in the docker-container driver,
not the default docker driver. The composite already sets up buildx; the
Java workflow was missing it, breaking every Java publish after PR #231
merged. Mirror the composite's pinned setup-buildx-action.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/shared-publish-java-to-docker-versioned.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/shared-publish-java-to-docker-versioned.yaml b/.github/workflows/shared-publish-java-to-docker-versioned.yaml
index 8aa5558f..5ea73317 100644
--- a/.github/workflows/shared-publish-java-to-docker-versioned.yaml
+++ b/.github/workflows/shared-publish-java-to-docker-versioned.yaml
@@ -189,6 +189,9 @@ jobs:
           FIRST_TAG=${DOCKER_METADATA_OUTPUT_TAGS%%$'\n'*}
           echo "firstTag=$FIRST_TAG" >> $GITHUB_OUTPUT
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
       - name: Build and export to Docker
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:

From 006c1fe82a5dbe3b0e768d12b89b760e324cf917 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Fri, 15 May 2026 09:20:14 +1000
Subject: [PATCH 2/4] UID2-7041: TEMP smoke for buildx fix (delete after
 capture)

---
 .github/workflows/smoke-7041-buildx.yaml | 67 ++++++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 .github/workflows/smoke-7041-buildx.yaml

diff --git a/.github/workflows/smoke-7041-buildx.yaml b/.github/workflows/smoke-7041-buildx.yaml
new file mode 100644
index 00000000..81190a01
--- /dev/null
+++ b/.github/workflows/smoke-7041-buildx.yaml
@@ -0,0 +1,67 @@
+name: UID2-7041 buildx-fix smoke
+
+# Throwaway smoke that proves push-by-digest works once Set up Docker Buildx
+# is present. Mirrors the Java workflow shape (setup-buildx before build).
+# Delete after capturing a green run.
+
+on:
+  push:
+    branches: [bmz-UID2-7041-setup-buildx-java]
+
+env:
+  TEST_IMAGE: ghcr.io/${{ github.repository }}/test-7041-buildx
+
+jobs:
+  smoke:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Lowercase image name
+        id: lc
+        run: |
+          IMG="$(printf '%s' "${TEST_IMAGE}" | tr '[:upper:]' '[:lower:]')"
+          echo "image=${IMG}" >> "$GITHUB_OUTPUT"
+
+      - name: Write throwaway Dockerfile
+        run: |
+          cat > Dockerfile.test-7041-buildx <<'DOCKERFILE'
+          FROM alpine:3.20
+          RUN echo "uid2-7041 buildx-fix smoke, run $GITHUB_RUN_ID" > /uid2-7041.txt
+          DOCKERFILE
+
+      - name: Build and export to Docker (mirrors Java workflow shape, load:true)
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+        with:
+          context: .
+          file: Dockerfile.test-7041-buildx
+          load: true
+          tags: ${{ steps.lc.outputs.image }}:scan-${{ github.run_id }}
+
+      - name: Push by digest (the previously-failing call)
+        id: push
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
+        with:
+          context: .
+          file: Dockerfile.test-7041-buildx
+          outputs: type=image,name=${{ steps.lc.outputs.image }},push-by-digest=true,push=true
+
+      - name: Assert digest emitted
+        run: |
+          set -eu
+          [[ -n "${{ steps.push.outputs.digest }}" ]] || { echo "::error::No digest"; exit 1; }
+          echo "Push-by-digest succeeded: ${{ steps.push.outputs.digest }}"

From 4c13fd28cc7ae0134ec6933d470c3921cf28eb1e Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Fri, 15 May 2026 09:20:54 +1000
Subject: [PATCH 3/4] UID2-7041: drop buildx smoke; run 25891260601 captured

---
 .github/workflows/smoke-7041-buildx.yaml | 67 ------------------------
 1 file changed, 67 deletions(-)
 delete mode 100644 .github/workflows/smoke-7041-buildx.yaml

diff --git a/.github/workflows/smoke-7041-buildx.yaml b/.github/workflows/smoke-7041-buildx.yaml
deleted file mode 100644
index 81190a01..00000000
--- a/.github/workflows/smoke-7041-buildx.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-name: UID2-7041 buildx-fix smoke
-
-# Throwaway smoke that proves push-by-digest works once Set up Docker Buildx
-# is present. Mirrors the Java workflow shape (setup-buildx before build).
-# Delete after capturing a green run.
-
-on:
-  push:
-    branches: [bmz-UID2-7041-setup-buildx-java]
-
-env:
-  TEST_IMAGE: ghcr.io/${{ github.repository }}/test-7041-buildx
-
-jobs:
-  smoke:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
-
-      - name: Log in to GHCR
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Lowercase image name
-        id: lc
-        run: |
-          IMG="$(printf '%s' "${TEST_IMAGE}" | tr '[:upper:]' '[:lower:]')"
-          echo "image=${IMG}" >> "$GITHUB_OUTPUT"
-
-      - name: Write throwaway Dockerfile
-        run: |
-          cat > Dockerfile.test-7041-buildx <<'DOCKERFILE'
-          FROM alpine:3.20
-          RUN echo "uid2-7041 buildx-fix smoke, run $GITHUB_RUN_ID" > /uid2-7041.txt
-          DOCKERFILE
-
-      - name: Build and export to Docker (mirrors Java workflow shape, load:true)
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
-        with:
-          context: .
-          file: Dockerfile.test-7041-buildx
-          load: true
-          tags: ${{ steps.lc.outputs.image }}:scan-${{ github.run_id }}
-
-      - name: Push by digest (the previously-failing call)
-        id: push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
-        with:
-          context: .
-          file: Dockerfile.test-7041-buildx
-          outputs: type=image,name=${{ steps.lc.outputs.image }},push-by-digest=true,push=true
-
-      - name: Assert digest emitted
-        run: |
-          set -eu
-          [[ -n "${{ steps.push.outputs.digest }}" ]] || { echo "::error::No digest"; exit 1; }
-          echo "Push-by-digest succeeded: ${{ steps.push.outputs.digest }}"

From 27c970841277019284c95bc33f5709c63ae594e5 Mon Sep 17 00:00:00 2001
From: Behnam Mozafari <behnam.mozafari@thetradedesk.com>
Date: Fri, 15 May 2026 09:28:57 +1000
Subject: [PATCH 4/4] UID2-7041: lowercase image reference for push-by-digest

push-by-digest=true rejects uppercase characters in the repo path
(unlike the prior tags: input which went through docker/metadata-action
and was lowercased there). github.repository preserves the original
casing, so IABTechLab/uid2-admin fails to parse. Add a Lowercase image
reference step before the push and reuse the output in both push and
promote, mirroring the pattern in actions/attest_image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../shared-publish-java-to-docker-versioned.yaml      | 10 ++++++++--
 actions/shared_publish_to_docker/action.yaml          | 11 +++++++++--
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/shared-publish-java-to-docker-versioned.yaml b/.github/workflows/shared-publish-java-to-docker-versioned.yaml
index 5ea73317..be0f407e 100644
--- a/.github/workflows/shared-publish-java-to-docker-versioned.yaml
+++ b/.github/workflows/shared-publish-java-to-docker-versioned.yaml
@@ -192,6 +192,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
+      - name: Lowercase image reference
+        id: imageRef
+        run: |
+          value="$(printf '%s' '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ inputs.append_image_name }}' | tr '[:upper:]' '[:lower:]')"
+          echo "value=${value}" >> "$GITHUB_OUTPUT"
+
       - name: Build and export to Docker
         uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
@@ -218,7 +224,7 @@ jobs:
         with:
           context: ${{inputs.working_dir}}
           labels: ${{ steps.meta.outputs.labels }}
-          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ inputs.append_image_name }},push-by-digest=true,push=true
+          outputs: type=image,name=${{ steps.imageRef.outputs.value }},push-by-digest=true,push=true
           build-args: |
             JAR_VERSION=${{ steps.version.outputs.new_version }}
             IMAGE_VERSION=${{ steps.version.outputs.new_version }}
@@ -235,7 +241,7 @@ jobs:
         env:
           DIGEST: ${{ steps.push.outputs.digest }}
           TAGS: ${{ steps.meta.outputs.tags }}
-          SOURCE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}${{ inputs.append_image_name }}
+          SOURCE: ${{ steps.imageRef.outputs.value }}
         run: |
           set -euo pipefail
           while IFS= read -r tag; do
diff --git a/actions/shared_publish_to_docker/action.yaml b/actions/shared_publish_to_docker/action.yaml
index ea55b008..11d753bc 100644
--- a/actions/shared_publish_to_docker/action.yaml
+++ b/actions/shared_publish_to_docker/action.yaml
@@ -71,6 +71,13 @@ runs:
         FIRST_TAG=${DOCKER_METADATA_OUTPUT_TAGS%%$'\n'*}
         echo "firstTag=$FIRST_TAG" >> $GITHUB_OUTPUT
 
+    - name: Lowercase image reference
+      id: imageRef
+      shell: bash
+      run: |
+        value="$(printf '%s' '${{ inputs.docker_registry }}/${{ inputs.docker_image_name }}' | tr '[:upper:]' '[:lower:]')"
+        echo "value=${value}" >> "$GITHUB_OUTPUT"
+
     - name: Build and export to Docker
       uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
       with:
@@ -99,7 +106,7 @@ runs:
         context: ${{ inputs.docker_context }}
         file: ${{ inputs.docker_file }}
         labels: ${{ steps.meta.outputs.labels }}
-        outputs: type=image,name=${{ inputs.docker_registry }}/${{ inputs.docker_image_name }},push-by-digest=true,push=true
+        outputs: type=image,name=${{ steps.imageRef.outputs.value }},push-by-digest=true,push=true
         build-args: |
           JAR_VERSION=${{ inputs.new_version }}
           IMAGE_VERSION=${{ inputs.new_version }}
@@ -116,7 +123,7 @@ runs:
       env:
         DIGEST: ${{ steps.push.outputs.digest }}
         TAGS: ${{ steps.meta.outputs.tags }}
-        SOURCE: ${{ inputs.docker_registry }}/${{ inputs.docker_image_name }}
+        SOURCE: ${{ steps.imageRef.outputs.value }}
       run: |
         set -euo pipefail
         while IFS= read -r tag; do