Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add OCI image annotations to docker hub published paketobuildpacks/builder-jammy-tiny images #132

Open
candrews opened this issue Feb 10, 2023 · 4 comments
Open

Add OCI image annotations to docker hub published paketobuildpacks/builder-jammy-tiny images #132

candrews opened this issue Feb 10, 2023 · 4 comments

Comments

@candrews
Copy link

Describe the Enhancement

The images published to https://hub.docker.com/r/paketobuildpacks/builder-jammy-tiny/ do not have OCI image annotations, such as org.opencontainers.image.source

I believe at least these labels should be added to the images:

  • org.opencontainers.image.source
  • org.opencontainers.image.revision

Motivation

These annotations are useful for people to manual use as well as for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes. I have multiple projects that would benefit from these Snyk and Renovate capabilities.
@robdimsdale
Copy link
Member

Hi @candrews - thanks for sharing this feedback. I'm not too familiar with OCI image annotations or how they're used, so let's make sure we're starting from the same understanding.

Currently, the builder-jammy-tiny image has the following opencontainers labels:

❯ docker inspect paketobuildpacks/builder-jammy-tiny | jq -r '.[].Config.Labels' | grep opencontainers
  "org.opencontainers.image.ref.name": "ubuntu",
  "org.opencontainers.image.version": "22.04"

It sounds like you're asking for the addition of (at least):

  • org.opencontainers.image.source
  • org.opencontainers.image.revision

Can you help me understand how those would be used and what values you would expect? For example, following your link to Renovate I see that it references the location of Dockerfile:

If you maintain a Docker image and want Renovate to find your changelogs, add a org.opencontainers.image.source field to your Dockerfile. The link must point to your GitHub or GitLab repository. Here's an example from our renovate/renovate Dockerfile:

But the repositories for builders (and stacks) don't have a single Dockerfile that completely describes the image. In the stacks case, there are Dockerfiles but they are incomplete; they rely on tooling to dynamically add values like which packages are installed.

If we can identify a set of labels that we can and should be providing values for, we can write an RFC to do this for all the Paketo Builders, and potentially stacks too.

@candrews
Copy link
Author

Can you help me understand how those would be used and what values you would expect?

For example, for this project, I'd like to see the docker image docker.io/paketobuildpacks/builder-jammy-tiny:0.0.106 have org.opencontainers.image.source set to https://github.com/paketo-buildpacks/builder-jammy-tiny. That way, Renovate could look at the image, find the Github project, look for a release in that project that matches the image tag (0.0.106 in this example), find the release notes (which are at https://github.com/paketo-buildpacks/builder-jammy-tiny/releases/tag/v0.0.106) and include those release notes in the pull request it creates.

You can see an example Renovate PR candrews/jumpstart#388 for docker.io/paketobuildpacks/builder-jammy-tiny:0.0.106. Note that it doesn't have release notes.

If the org.opencontainers.image.source was to be set on the image, that PR would have release notes.

Besides Renovate, there are other uses for this information. Snyk uses them in its UI in very similar way to Renovate.

There's also a manual use case. I've had many cases of coming across a project that uses an image, but I no idea where to find that image's source code - the org.opencontainers.image.source label would answer that question.

@robdimsdale
Copy link
Member

Ah, ok. Thanks for providing that additional context.

I think the best way to proceed would be to create an RFC for all stacks/builder images to have these additional image labels. That way we can identify which additional labels we want to add and what their contents should be. And we can define it in such a way that it applies to all stacks/builders, not just this specific builder (i.e. jammy-tiny).

If you want to write that RFC that would be great. I'd be more than happy to provide pointers. If not - no worries. I think this RFC is worth creating but it might take a while for me to write it up.

@candrews
Copy link
Author

I wrote and submitted an RFC: paketo-buildpacks/rfcs#307

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@candrews @robdimsdale