Support setting OCI annotations in images built by ko - and stop inheriting all annotations

[afrittoli]

OCI annotations can be set on manifests, to provide metadata about the images.

ko today supports setting labels (introduced by docker) but not setting annotations (introduced by the OCI spec). It does set annotations related to the base image used, which is great, but it also sets additional annotations, inherited from the base image, which do not apply to the target image, and cannot be overwritten using ko.

This feature request stems from something I noticed on Tekton container images. Since Tekton uses Chainguard's base images and ko to build its images, the annotations resulting in Tekton images look like:

crane manifest gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/resolvers:v0.63.0@sha256:e3d170eb9bc04c6ee69306529c2f82e84296a52414e136ef16995ac179abcd12 | jq .annotations
{
  "org.opencontainers.image.authors": "Chainguard Team https://www.chainguard.dev/",
  "org.opencontainers.image.base.digest": "sha256:67a1b00e0134e2b3a614c7198a26f7deed9d11b7acad4d52c79c0cfd47a2eae7",
  "org.opencontainers.image.base.name": "cgr.dev/chainguard/static@sha256:67a1b00e0134e2b3a614c7198a26f7deed9d11b7acad4d52c79c0cfd47a2eae7",
  "org.opencontainers.image.source": "https://github.com/chainguard-images/images/tree/main/images/static",
  "org.opencontainers.image.url": "https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/"
}

While the org.opencontainers.image.base part is correct, the values author, source and URL do not apply to Tekton images.