Open cldmnky opened 2 years ago
Annotations for blobs
We are using cosign to upload (and sign) release artifacts as blobs. We currently use something like:
cosign upload blob -f ./release/linux/myapp:linux/amd64 -f ./release/darwin/myapp:darwin/amd64 -f ./release/windows/myapp.exe:windows/amd64 private-registry.tld/foo/myapp/myapp:{{ .releaseVersion }}
It would be useful to be able to add (common) annotations to the descriptor(s) for the manifests to store some more information:
cosign upload blob -a date=xxxx -a name="a name" -f ./release/linux/myapp:linux/amd64 -f ./release/darwin/myapp:darwin/amd64 -f ./release/windows/myapp.exe:windows/amd64 private-registry.tld/foo/myapp/myapp:{{ .releaseVersion }}
This way we can in our custom code get a bit more metadata on the releases we have stored in the registry.
I'll be happy to prepare a PR if it makes sense!
Maybe a different flag to make sure it's clear these are unprotected (not signed)?
Good point, I'll open a PR so we can figure out the flag name.
Annotations for blobs
We are using cosign to upload (and sign) release artifacts as blobs. We currently use something like:
cosign upload blob -f ./release/linux/myapp:linux/amd64 -f ./release/darwin/myapp:darwin/amd64 -f ./release/windows/myapp.exe:windows/amd64 private-registry.tld/foo/myapp/myapp:{{ .releaseVersion }}
It would be useful to be able to add (common) annotations to the descriptor(s) for the manifests to store some more information:
cosign upload blob -a date=xxxx -a name="a name" -f ./release/linux/myapp:linux/amd64 -f ./release/darwin/myapp:darwin/amd64 -f ./release/windows/myapp.exe:windows/amd64 private-registry.tld/foo/myapp/myapp:{{ .releaseVersion }}
This way we can in our custom code get a bit more metadata on the releases we have stored in the registry.
I'll be happy to prepare a PR if it makes sense!