Chainguard annotations are, but should not be, propagated to multi-platform manifest

[MikeSpreitzer]

When I ko build a multi-platform manifest, my manifest ends up with annotations attributing it to chainguard. Here is what I found:

{"org.opencontainers.image.authors": "Chainguard Team https://www.chainguard.dev/",
 "org.opencontainers.image.base.digest": "sha256:fce1fdce595332afe7f339303ae288c349c4e4139d926f8c7ccf4b7ca2911553",
 "org.opencontainers.image.base.name": "cgr.dev/chainguard/static:latest",
 "org.opencontainers.image.source": "https://github.com/chainguard-images/images/tree/main/images/static",
 "org.opencontainers.image.url": "https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/"}

[cpanato]

if you don't specify the base image that you want to use in your ko build it will use a default one which is cgr.dev/chainguard/static:latest you can check where we define that in https://github.com/ko-build/ko/blob/main/pkg/commands/options/build.go#L33

[MikeSpreitzer]

This is not a question. This is a bug. The problem is not the annotations that identify the base image. The problem is the other annotations.

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Keep fresh with the 'lifecycle/frozen' label.