Set `created` date based on `org.opencontainers.image.created` annotation

[hanneskaeufler]

Fixes #661

Why?

Doing a docker inspect --format='{{.Created}}' my/image:latest on an image built with oci_image previously always returned the static beginning of the unix timestamp (1. January 1970 00:00:00). To be more precise, that's what it returns for images that are built "from scratch". When an image is built on a base, then the created date is set to the created date of the base image.

Both are fine strategies for reproducible builds, but in stamped builds that are eventually shipped/deployed, you probably want to set that time to the actual build time.

Stamping is already supported, e.g. by setting annotations, which can use stamp variables through a workspace status command.

Furthermore, the OCI image spec already defines an annotation to describe the time and date the image was built. Which of course, when docker load -i mytarball.tar is dutifully ignored by docker.

We can leverage this and, if the OCI annotation is provided, also set the created date to that same value. When it isn't, we simply fall back to the old behaviour.

Further thoughts

I of course debated

• adding a separate attribute created on the oci_image rule itself
• Documentation? We could add some explanation to the oci_image macro, but it already talks about annotations and somehow I feel like a mention of a specific label and creation date is too detail-oriented? Happy to change my mind ...
• not caring about docker. I have to check my specific use case again, but it might be that AWS ECR metadata APIs already interpret read the OCI annotation over the created field? Not sure ...
• How do we add a test for this? Seems the image.sh script itself is not tested in isolation so far. I have various local incarnations but eventually landed on the diff test using the docker CLI client. Seems like that's not available on CI though 🤷🏽

[thesayyn]

This implicit behavior is something i am really scared of, i always imagined we would add a new attribute to oci_image that takes a file (so its also stampable.)

[hanneskaeufler]

This implicit behavior is something i am really scared of

I totally get that! But what I feel is also dubious, is supplying both the created annotation and a created file. How do we consolidate that, or do we simply not?

[hanneskaeufler]

@thesayyn I implemented the alternative: #724 we can discuss over there for any open questions I have regarding that approach.