cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Add OCI image annotations to gcr.io/projectsigstore/cosign images

Open candrews opened this issue 1 year ago • 0 comments

Description

I'd love to see OCI image annotations added to the gcr.io/projectsigstore/cosign images (including the -dev ones).

These annotations are useful for people to use manually and for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.

At least these annotations would be great to set (and suggested values from GitHub's environment variables

  • org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY
  • org.opencontainers.image.revision=$GITHUB_SHA
  • org.opencontainers.image.ref.name=$GITHUB_REF
  • if $GITHUB_REF_TYPE=tag then org.opencontainers.image.version=$GITHUB_REF_NAME
  • org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY
  • org.opencontainers.image.created=$(date -Iseconds)

Other annotations would be great to add too, of course.

Currently, the only annotations set are org.opencontainers.image.base.digest and org.opencontainers.image.base.name:

$ crane manifest gcr.io/projectsigstore/cosign:v2.4.0  | jq '{ annotations}'
2024/08/21 14:19:50 No matching credentials were found, falling back on anonymous
{
  "annotations": {
    "org.opencontainers.image.base.digest": "sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65",
    "org.opencontainers.image.base.name": "gcr.io/distroless/static-debian12:nonroot"
  }
}

candrews avatar Aug 21 '24 18:08 candrews