Feature Request: Add "org.opencontainers.image.*" labels to policy OCI artifacts

[mueller-ma]

Is your feature request related to a problem?

I use a git repository to manage the policies that I want to apply to a Kubernetes cluster, including the name of the policy and its version. I use Renovate (https://docs.renovatebot.com/) to keep this version up to date as it opens PRs for every new version.

Compared to other PRs for container images, the ones for Kubewarden policies lack of information that would make a review easier. Here are two screenshots (from GitLab, so the term MR is used instead of PR):

The PR for traefik is easier to review, because it contains a changelog and "traefik" (inside the table) is linked to https://github.com/traefik/traefik.

Solution you'd like

Renovate (and other tools) is using the container image labels org.opencontainers.image.* to know where the repo and changelog for an image is:

• https://docs.renovatebot.com/modules/datasource/docker/#description
• https://github.com/opencontainers/image-spec/blob/main/annotations.md

As you have the GitHub actions centralized in this repo, it should be possible to add the labels for all policies in one step.

Alternatives you've considered

No response

Anything else?

PS: Where do I find the changelog of a policy, e.g. https://github.com/kubewarden/container-resources-policy/tree/main ?

[viccuad]

Hi, thanks for opening this issue! Indeed, this would be a nice feature for both Kubewarden container images and policy Wasm modules.

PS: Where do I find the changelog of a policy?

Right now, besides some exceptions like kubewarden/cel-policy, policies don't have an associated changelog. Since policies are secure, small and self-contained, they rarely have worthwhile updates with new or revised functionality that constitute a minor or major version bump. Nevertheless this would be a good addition.

---

Acceptance criteria

For all policies:

• [ ] Enable release-drafter in policies and policy templates (e.g: config + workflow).
• [ ] Update reusable-release-policy-X workflows in kubewarden/github-actions to publish the already present draft GH release (e.g here).

For all policies and container images (controller, policy-server, audit-scanner)

• [ ] Investigate which OCI metadata annotations are useful, as they can be consumed by ArtifactHub and Renovatebot.
• [ ] Update release jobs to annotate OCI image artifacts with:
  • org.opencontainers.image.source allows Renovatebot to find the GH release changelog.
  • Other annotations that may be taken from GH info or policies metadata.yml.