Utilize pre-defined annotation keys from OCI Image Format Specification

[hiddeco]

The OCI Image Format Specification defines a set of annotation keys that can be used to attach metadata (like the source of an artifact, or the build timestamp) in a standardized manner to a container image (or OCI artifact).

Some of these are interesting to Kargo to improve (for example, build time instead of push time for sorting), enrich (for example, determining the source of a container image for other registries than GHCR), or further extend the metadata we gather for an image artifact which is part of a Freight.

As the adoption of this is quite mature ^{1, 2}, I think it would be wonderful to see if and how we can better utilize these within Kargo.

[krancour]

I especially like the potential to use this to connect the dots from an image back to the repo with the source the image was built from.

[jessesuen]

Love this idea.

It's always been a goal to somehow link back to original source code so that users know the contents of what they were promoting. This is why the GitRepoURL field exists (which isn't really used).

org.opencontainers.image.source would be a much better way to do this.

[hiddeco]

That's indeed also one of the use cases I had in mind myself.

The other one, is starting to use org.opencontainers.image.created instead of the (push) timestamp we receive from the registry when we order by build time. The advantage of this, is that these annotations can be transferred to any other registry, which could prevent potential issues when people move to e.g. an in-cluster mirror or a different registry host.

[jessesuen]

I think this feature can be as simple as surfacing OCI metadata into the freight. Then, other Kargo features (https://github.com/akuity/kargo/issues/2830, https://github.com/akuity/kargo/issues/821) will take advantage of that metadata as UI or git commit features.