fix(ecr-assets): handle Docker 27.4+ output format in TarballImageAsset (#33967)

### Issue # (if applicable)

Closes #33428.

### Reason for this change

The TarballImageAsset class was failing to properly extract image IDs from Docker 27.4+ output due to a format change from "Loaded image: <digest>" to "Loaded image ID: <digest>". This caused the sed command to fail to properly extract the image ID, resulting in an invalid tag format.

After reviewing Docker CLI issue docker/cli#2212 (open since 2019), I found that Docker has actually had two distinct output formats for the `docker load` command for some time:
- For images with tags: "Loaded image: <image-name>"
- For images without tags: "Loaded image ID: <digest>"

See:
https://github.com/moby/moby/blob/37f866285af6910f838c762912dfd57396783b72/image/tarexport/load.go#L140-L159

While the issue was triggered by Docker 27.4, the underlying problem is that our code was only handling one of these output formats. We need a solution that handles both formats.

### Description of changes

- Introduced a more flexible regex pattern (`s/Loaded image[^:]*: //g`) that handles both output formats
- Extracted the pattern to a shared constant `DOCKER_LOAD_OUTPUT_REGEX` for consistency and maintainability
- Updated the code in `tarball-asset.ts` to use the new regex pattern
- Added unit tests to verify compatibility with both Docker output formats
- Ensured backward compatibility with older Docker versions

This approach makes our code more robust against variations in Docker's output format.

### Describe any new or updated permissions being added

No new or updated IAM permissions are needed for this change.

### Description of how you validated changes

- Created unit tests that verify the new regex pattern works with both formats using hardcoded test strings:
  - "Loaded image: <digest>" (older Docker versions)
  - "Loaded image ID: <digest>" (Docker 27.4+)
- Verified that the old sed expression fails with the new format
- Confirmed all existing tests pass with the new implementation

### Checklist
- [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: scorbiere

packages/aws-cdk-lib/aws-ecr-assets/lib/tarball-asset.ts

@@ -5,6 +5,14 @@ import { IAsset } from '../../assets';
 import * as ecr from '../../aws-ecr';
 import { AssetStaging, Names, Stack, Stage, ValidationError } from '../../core';
 
+/**
+ * The sed pattern used to extract the image ID from docker load output
+ * Works with both formats:
+ * - "Loaded image: <digest>" (older Docker versions)
+ * - "Loaded image ID: <digest>" (Docker 27.4+)
+ */
+export const DOCKER_LOAD_OUTPUT_REGEX = 's/Loaded image[^:]*: //g';
+
 /**
  * Options for TarballImageAsset
  */
@@ -99,7 +107,7 @@ export class TarballImageAsset extends Construct implements IAsset {
       executable: [
         'sh',
         '-c',
-        `docker load -i ${relativePathInOutDir} | tail -n 1 | sed "s/Loaded image: //g"`,
+        `docker load -i ${relativePathInOutDir} | tail -n 1 | sed "${DOCKER_LOAD_OUTPUT_REGEX}"`,
       ],
       displayName: props.displayName ?? Names.stackRelativeConstructPath(this),
     });

packages/aws-cdk-lib/aws-ecr-assets/test/tarball-asset.test.ts

@@ -1,11 +1,12 @@
+import { spawnSync } from 'child_process';
 import * as fs from 'fs';
 import * as path from 'path';
 import { Template } from '../../assertions';
 import * as iam from '../../aws-iam';
 import * as cxschema from '../../cloud-assembly-schema';
 import { App, Stack, DefaultStackSynthesizer } from '../../core';
 import * as cxapi from '../../cx-api';
-import { TarballImageAsset } from '../lib';
+import { TarballImageAsset, DOCKER_LOAD_OUTPUT_REGEX } from '../lib';
 
 /* eslint-disable quote-props */
 
@@ -42,7 +43,7 @@ describe('image asset', () => {
         executable: [
           'sh',
           '-c',
-          `docker load -i asset.${asset.assetHash}.tar | tail -n 1 | sed "s/Loaded image: //g"`,
+          `docker load -i asset.${asset.assetHash}.tar | tail -n 1 | sed "${DOCKER_LOAD_OUTPUT_REGEX}"`,
         ],
       },
     );
@@ -160,6 +161,36 @@ describe('image asset', () => {
       expect(asset2.imageTag).toEqual('banana95c924c84f5d023be4edee540cb2cb401a49f115d01ed403b288f6cb412771df');
     });
   });
+  test('docker load output format handling', () => {
+    // Test that our sed expression can handle both old and new Docker output formats
+    const oldFormatOutput = 'Loaded image: sha256:4a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a';
+    const newFormatOutput = 'Loaded image ID: sha256:4a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a';
+
+    // Test old format (Loaded image: sha256:...)
+    const oldFormatResult = spawnSync('sh', [
+      '-c',
+      `echo "${oldFormatOutput}" | sed "${DOCKER_LOAD_OUTPUT_REGEX}"`,
+    ]);
+    expect(oldFormatResult.status).toBe(0);
+    expect(oldFormatResult.stdout.toString().trim()).toBe('sha256:4a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a');
+
+    // Test new format (Loaded image ID: sha256:...)
+    const newFormatResult = spawnSync('sh', [
+      '-c',
+      `echo "${newFormatOutput}" | sed "${DOCKER_LOAD_OUTPUT_REGEX}"`,
+    ]);
+    expect(newFormatResult.status).toBe(0);
+    expect(newFormatResult.stdout.toString().trim()).toBe('sha256:4a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a');
+
+    // Test that the old sed expression fails with the new format
+    const oldSedWithNewFormat = spawnSync('sh', [
+      '-c',
+      `echo "${newFormatOutput}" | sed "s/Loaded image: //g"`,
+    ]);
+    expect(oldSedWithNewFormat.status).toBe(0);
+    expect(oldSedWithNewFormat.stdout.toString().trim()).not.toBe('sha256:4a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a');
+    expect(oldSedWithNewFormat.stdout.toString().trim()).toBe('Loaded image ID: sha256:4a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a');
+  });
 });
 
 function isAssetManifest(x: cxapi.CloudArtifact): x is cxapi.AssetManifestArtifact {