Add OCI image annotations to docker hub published paketobuildpacks/builder-jammy-tiny images

[candrews]

Describe the Enhancement

The images published to https://hub.docker.com/r/paketobuildpacks/builder-jammy-tiny/ do not have OCI image annotations, such as org.opencontainers.image.source

I believe at least these labels should be added to the images:

• org.opencontainers.image.source
• org.opencontainers.image.revision

Motivation

These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes. I have multiple projects that would benefit from these Snyk and Renovate capabilities.

[robdimsdale]

Hi @candrews - thanks for sharing this feedback. I'm not too familiar with OCI image annotations or how they're used, so let's make sure we're starting from the same understanding.

Currently, the builder-jammy-tiny image has the following opencontainers labels:

❯ docker inspect paketobuildpacks/builder-jammy-tiny | jq -r '.[].Config.Labels' | grep opencontainers
  "org.opencontainers.image.ref.name": "ubuntu",
  "org.opencontainers.image.version": "22.04"

It sounds like you're asking for the addition of (at least):

• org.opencontainers.image.source
• org.opencontainers.image.revision

Can you help me understand how those would be used and what values you would expect? For example, following your link to Renovate I see that it references the location of Dockerfile:

If you maintain a Docker image and want Renovate to find your changelogs, add a org.opencontainers.image.source field to your Dockerfile. The link must point to your GitHub or GitLab repository. Here's an example from our renovate/renovate Dockerfile:

But the repositories for builders (and stacks) don't have a single Dockerfile that completely describes the image. In the stacks case, there are Dockerfiles but they are incomplete; they rely on tooling to dynamically add values like which packages are installed.

If we can identify a set of labels that we can and should be providing values for, we can write an RFC to do this for all the Paketo Builders, and potentially stacks too.

[candrews]

Can you help me understand how those would be used and what values you would expect?

For example, for this project, I'd like to see the docker image docker.io/paketobuildpacks/builder-jammy-tiny:0.0.106 have org.opencontainers.image.source set to https://github.com/paketo-buildpacks/builder-jammy-tiny. That way, Renovate could look at the image, find the Github project, look for a release in that project that matches the image tag (0.0.106 in this example), find the release notes (which are at https://github.com/paketo-buildpacks/builder-jammy-tiny/releases/tag/v0.0.106) and include those release notes in the pull request it creates.

You can see an example Renovate PR https://github.com/candrews/jumpstart/pull/388 for docker.io/paketobuildpacks/builder-jammy-tiny:0.0.106. Note that it doesn't have release notes.

If the org.opencontainers.image.source was to be set on the image, that PR would have release notes.

Besides Renovate, there are other uses for this information. Snyk uses them in its UI in very similar way to Renovate.

There's also a manual use case. I've had many cases of coming across a project that uses an image, but I no idea where to find that image's source code - the org.opencontainers.image.source label would answer that question.

[robdimsdale]

Ah, ok. Thanks for providing that additional context.

I think the best way to proceed would be to create an RFC for all stacks/builder images to have these additional image labels. That way we can identify which additional labels we want to add and what their contents should be. And we can define it in such a way that it applies to all stacks/builders, not just this specific builder (i.e. jammy-tiny).

If you want to write that RFC that would be great. I'd be more than happy to provide pointers. If not - no worries. I think this RFC is worth creating but it might take a while for me to write it up.

[candrews]

I wrote and submitted an RFC: https://github.com/paketo-buildpacks/rfcs/pull/307