isle-buildkit#377: Add opencontainers annotations for image source, URL

[xurizaemon]

Add opencontainers annotations to images

Refs #377

Generated with:

for DOCKERFILE in */Dockerfile ; do DIR=$( dirname $DOCKERFILE ) ; sed -i '3 a LABEL org.opencontainers.image.url=https://github.com/Islandora-DevOps/isle-buildkit/\n' $DOCKERFILE ; sed -i "3 a LABEL org.opencontainers.image.source=https://github.com/Islandora-DevOps/isle-buildkit/tree/main/$DIR" $DOCKERFILE ; done

[xurizaemon]

Looks like this could be done via https://docs.docker.com/build/bake/reference/#targetannotations if that's preferred?

[joecorall]

I think these labels are useful to add and this is a good start. Though I do not think they will help with a changelog in systems like renovate - for that we should work on making better release notes in our GitHub releases and folks using renovate should use their github release data source to get updates.

We probably need to add some build args to populate some of the values in the proposed labels, as the source of the image isn't always the main branch (e.g. when building images off a PR).

[nigelgbanks]

I'm afraid that using build arguments for annotations like this will invalidate caching and force rebuilds for images that are otherwise identical. I'd prefer to rely on https://docs.docker.com/build/metadata/attestations/slsa-provenance/ as they are not baked into the image and denote many aspects of how the image was built. This is not currently implemented in our build process, but I've tested it locally, and I am integrating it into other work that I'm doing.

Looks like this could be done via https://docs.docker.com/build/bake/reference/#targetannotations if that's preferred?

Yes, this is prefered as it goes into the image metadata for the repository rather than the image itself.

[xurizaemon]

OK, I'll close this if you have existing WIP on it. Would be happy to look at a Bake approach of that's helpful, please say so if it is!