org.opencontainers.image.source is missing from the annotations section of the manifests

[SamirMarin]

Contributing guidelines

• [X] I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• [X] The documentation does not mention anything about my problem
• [X] There are no open or closed issues that are related to my problem

Description

Multi-arch images built and pushed using the bake action aren't being linked to their respective GitHub repositories due to the absence of the org.opencontainers.image.source annotation in the OCI image manifests.

We are utilizing the bake action to create and push a multi-arch image to the GitHub OCI registry. While the push to the registry is successful, the image does not get linked to its GitHub repository. Upon reaching out to GitHub support, they indicated the linking issue arises because the org.opencontainers.image.source is absent from the annotations section of the OCI image manifests.

In the bake file definition, I noticed that the label does contain the org.opencontainers.image.source information. However, this seems insufficient as it's not being transferred to the image manifest upon pushing.

From my understanding, for GitHub to link multi-arch images to their corresponding repositories, the org.opencontainers.image.source key in the manifest's annotations field needs to be set.

I'm unsure if this behavior is a bug or if the feature to add the necessary annotations is not yet implemented in the bake action. If it's the latter, I'd be happy to submit a feature issue instead. Any assistance or direction on this matter would be greatly appreciated.

Expected behaviour

Theorg.opencontainers.image.source key is set in the annotations field of the image manifest.

Actual behaviour

No org.opencontainers.image.source key is set in the annotations field of the image manifest.

Repository URL

No response

Workflow run URL

No response

YAML workflow

steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Generate docker metadata
        id: docker-metadata
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ inputs.owner }}/${{ inputs.name }}
          tags: |
            ${{ inputs.tags }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Github Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.PKG_TOKEN }}

      - name: Build
        uses: docker/bake-action@v4
        env:
          GITHUB_TOKEN: ${{ secrets.PKG_TOKEN }}
        with:
          files: |
            ${{ inputs.bake-files }}
            ${{ steps.docker-metadata.outputs.bake-file }}
          targets: |
            ${{ inputs.targets }}
          push: ${{ inputs.push }}
          set: |
            *.secrets=id=GITHUB_TOKEN
            ${{ inputs.bake-set }}

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

[crazy-max]

This will be fixed with https://github.com/docker/metadata-action/pull/353 and https://github.com/docker/metadata-action/pull/352 and would look like this:

      -
        name: Build
        uses: docker/bake-action@v4
        with:
          files: |
            ./test/docker-bake.hcl
            ${{ steps.docker_meta.outputs.bake-file }}
            ${{ steps.docker_meta.outputs.bake-file-annotations-index }}
          targets: |
            release

More info: https://github.com/crazy-max/docker-metadata-action/tree/annotations-alt#annotations

I move this one to the metadata action repo.

[crazy-max]

Upon reaching out to GitHub support, they indicated the linking issue arises because the org.opencontainers.image.source is absent from the annotations section of the OCI image manifests.

Afaik GitHub relies on the OCI labels in the image config, not annotations to enhance the container package UI such as org.opencontainers.image.source to display the README like https://github.com/crazy-max/undock/pkgs/container/undock. See https://explore.ggcr.dev/?blob=crazymax/undock@sha256:b284b0f1a2a9b0c6227be1d7a8051f2418fb81e16c0b99e08fe984a6079b11ea&mt=application%2Fvnd.oci.image.config.v1%2Bjson&size=1965&manifest=crazymax/undock@sha256:b1be9d37c9a083956a8d8b424c119a9950b4903c8ff911e2f3b405586153609f

But maybe it has changed and takes both into account now, I will make some tests on my side to make sure of it.

Do you have a link to your repo and container package btw?