Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add source and description labels to Dockerfile #162

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

austinvazquez
Copy link

@austinvazquez austinvazquez commented Mar 29, 2024

Issue

Partially resolves #161

Description

This change adds the source and description (not needed but nice to have) labels needed by GitHub dependabot to update usages of registry container image.

Additional context

  1. https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file?learn=dependency_version_updates&learnProduct=code-security#docker
  2. https://github.com/dependabot-fixtures/docker-with-source

@tianon
Copy link
Contributor

tianon commented Mar 29, 2024

I can add a bit of "downstream" perspective here; hopefully it's helpful! 😅

See docker-library/official-images#3540, especially docker-library/official-images#3540 (comment):

We don't actively recommend using labels. If an image maintainer wants to have labels, that is fine, but label names should adhere to the image spec: https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md

To expound, labels have really unfortunate inheritance behavior, and thus we actively avoid them in all the images we directly maintain.

You might also find docker-library/cassandra#260 interesting -- the short version is that our new build system (which we're working to roll out across all the images that are part of the Docker Official Images) will automatically inject appropriate annotations (which don't have the same undesirable inheritance behavior of labels) at the point where they can be done so with higher accuracy (effectively injecting metadata about the thing we're building, as we build it, instead of trying to maintain that same data in the code itself and ensure it is accurate over time).

Here is a recent examples of a build with this data injected (see especially the annotations key at the end of the JSON):

https://oci.dag.dev/?image=mongo@sha256:a60951fd120f553fb925a7d32c841e9f268e83c0440e228732ce886573bda204&mt=application%2Fvnd.oci.image.manifest.v1%2Bjson&size=2671

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Enable dependabot automation for registry container image
3 participants