fix: add image-manifest=true to BuildKit cache export for ephemeral VMs

[hiroTamada]

Summary

Fixes two related issues with BuildKit cache handling:

1. Global cache wasn't providing cache hits - Without image-manifest=true, BuildKit's registry cache stores layer references pointing to external registries rather than copying actual layer blobs
2. Cache image push was failing - Hypeman's registry was attempting to convert cache images to ext4 format, but BuildKit uses a custom mediatype (application/vnd.buildkit.cacheconfig.v0) that can't be unpacked by standard OCI tools

Changes

Fix 1: Enable proper cache blob storage

• lib/builds/builder_agent/main.go - Added image-manifest=true,oci-mediatypes=true to cache export options
• lib/builds/cache.go - Updated ExportCacheArg() helper for consistency
• lib/builds/cache_test.go - Updated test expectation

Fix 2: Skip conversion for cache images

• lib/registry/registry.go - Skip triggerConversion() for cache/* repos since they're not runnable containers

Test coverage

• lib/images/oci_test.go - Unit tests documenting the BuildKit cache mediatype limitation

Root causes

Issue 1: Without image-manifest=true, BuildKit stores layer references like:

sha256:abc123 -> docker.io/library/alpine@sha256:abc123

Instead of copying the actual blob. Ephemeral BuildKit instances can't resolve these references.

Issue 2: When cache images are pushed, the registry triggers conversion to ext4 format. This calls umoci.UnpackRootfs which expects standard OCI config mediatype but BuildKit uses:

application/vnd.buildkit.cacheconfig.v0

This caused: config blob is not correct mediatype application/vnd.oci.image.config.v1+json

Before (first tenant deployment)

#9 [1/3] FROM docker.io/onkernel/python3.11-base:0.1.1@sha256:...
#9 sha256:4831516... 28.23MB / 28.23MB 0.4s   ← Downloaded from Docker Hub
#9 extracting sha256:4831516... 2.1s done
... (many more layer downloads ~7s)

After

#9 [1/3] FROM docker.io/onkernel/python3.11-base:0.1.1@sha256:...
#9 DONE 0.0s   ← Cache hit from global cache

Test plan

• Unit tests pass (go test ./lib/images/... ./lib/registry/... ./lib/builds/...)
• E2E tested: pushed BuildKit cache image with custom mediatype to local server - no conversion error
• Rebuild builder image with updated builder_agent
• Re-run global cache population script
• Deploy to fresh tenant and verify cache hits

---

Note

Medium Risk
Touches build caching behavior and registry post-push processing; incorrect cache flags or repo matching could reduce cache effectiveness or unintentionally skip conversion for some images.

Overview
Fixes BuildKit registry cache exports to work reliably in ephemeral builders by adding image-manifest=true (and oci-mediatypes=true) to cache export args for both global/admin and tenant caches.

Updates the shared CacheKey.ExportCacheArg() helper and its tests accordingly, adds lib/images/oci_test.go to document the BuildKit cache config mediatype incompatibility, and changes the registry to skip ext4 conversion for pushed cache/* images so cache pushes no longer fail.

^{Written by Cursor Bugbot for commit 1460df9. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}