Add OCI image annotations to docker images
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
What does this MR do?
Add OCI image annotations to docker images
These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.
See:
- https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
- https://snyk.io/blog/how-and-when-to-use-docker-labels-oci-container-annotations/
- https://github.com/renovatebot/renovate/blob/34.115.1/lib/modules/datasource/docker/readme.md
Testing
Note: I originally tested the implementation of this MR against one of our temporary images, and it added annotations as expected in this job:
$ crane manifest --platform linux/amd64 registry.gitlab.com/gitlab-org/security-products/analyzers/sobelow/tmp:6a5f7b7794a567a835a48089713b084ebc6f5e89 | jq '{ annotations}'output:
{
"annotations": {
"org.opencontainers.image.created": "2024-08-15T00:16:02+00:00",
"org.opencontainers.image.description": "SAST Analyzer for Phoenix Elixir projects based on sobelow",
"org.opencontainers.image.revision": "6a5f7b7794a567a835a48089713b084ebc6f5e89",
"org.opencontainers.image.source": "https://gitlab.com/gitlab-org/security-products/analyzers/sobelow",
"org.opencontainers.image.title": "sobelow",
"org.opencontainers.image.url": "https://gitlab.com/gitlab-org/security-products/analyzers/sobelow",
"org.opencontainers.image.vendor": "GitLab"
}
}However, it seems there's an issue related to how we tag our released images, which strips away annotations. See this comment for more details. This means that the analyzer images we release will not have annotations until we handle the following.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
Edited by Adam Cohen