From a86249d4640b00118796977a3fa6e68329d9a7d4 Mon Sep 17 00:00:00 2001
From: Mark Elliot <123787712+mark-thm@users.noreply.github.com>
Date: Fri, 24 May 2024 17:42:33 -0400
Subject: [PATCH] feat: Allow setting both tag and digest in oci_pull when
 reproducible is True (#587)

---
 oci/pull.bzl | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/oci/pull.bzl b/oci/pull.bzl
index 79b4e0d5..c5ab6979 100644
--- a/oci/pull.bzl
+++ b/oci/pull.bzl
@@ -157,13 +157,14 @@ def oci_pull(name, image = None, repository = None, registry = None, platforms =
     else:
         scheme = None
 
-    if digest and tag:
-        # Users might wish to leave tag=latest as "documentation" however if we just ignore tag
-        # then it's never checked which means the documentation can be wrong.
-        # For now just forbid having both, it's a non-breaking change to allow it later.
-        fail("Only one of 'digest' or 'tag' may be set")
+    if digest and tag and not reproducible:
+        # digest and tag may drift apart for tags like 'latest', but in some cases tags are known
+        # to be immutable. As with the warning produced on tags alone, we'll require setting
+        # reproducible to True as a measure to inform users that there's some subtlty in how rules_oci
+        # prefers digest over tag, and that the latter is only used for documentation/upgrade tooling.
+        fail("Only one of 'digest' or 'tag' may be set when 'reproducible' is False. Set 'reproducible' to True to silence this failure.")
     if not digest and not tag:
-        fail("One of 'digest' or 'tag' must be set")
+        fail("At least one of 'digest' or 'tag' must be set")
 
     platform_to_image = None
     single_platform = None