fix: When pushing images to registry cache, use image-manifest=true

[fghaas]

Without this change, when building images with --cache-to-registry, BuildKit uses a proprietary cache artifact format, which breaks when using third-party registries such as Harbor or ECR.

By adding the image-manifest=true option, BuildKit uses an OCI-compliant cache artifact format that should be compatible with all registries. This option requires BuildKit 0.12 or later (check with docker buildx ls).

See goharbor/harbor#18941 and moby/buildkit#2251 for background information.

Co-authored-by: @angonz

[fghaas]

This change should not pose problems for users who have previously used the default image artifact format, since the cache is only populated on a fresh image build. That is to say, if this change is applied to an existing Tutor installation, and the user rebuilds an image (bumping the image tag, of course), then only the new image will use the compatible cache artifact format.

[regisb]

Hi Florian! Can you please have a look at this comment and tell me what you think?

EDIT: see Florian's response #1119 (comment)

BuildKit had a long-standing issue (moby/buildkit#2251) which meant that the cache image index it was generating was essentially proprietary and not compliant with the relevant spec.

In the comments on that issue, it was proposed that OCI-compliant manifests could be enabled with oci-manifest=true. However, when the feature landed in moby/buildkit#3724, the option name ended up being image-manifest.

So, if (and only if) we specify image-manifest=true, BuildKit does the correct (OCI-compliant) thing and creates an OCI-compliant rather than a proprietary manifest format. And that's the proper way to support cached image builds across multiple registry providers.

[regisb]

looks awesome to me!