annotate and label bootc artifacts

[bennyz]

annotate and label the bootc disk and base container image respectively with the builder image used

Summary by CodeRabbit

• New Features
  • Container images now include a builder-image metadata annotation and config label when available.
  • Build pipeline captures and propagates the builder image reference through all push paths (including OCI/boot artifacts).
  • Builder image is exported as a build result for downstream consumption and auditing.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds capturing of the effective builder image as a pipeline result/param and propagates it into image/artifact pushes by injecting an annotation and config label (automotive.sdv.cloud.redhat.com/builder-image) into OCI manifests and push commands.

Changes

Cohort / File(s)	Summary
Build Image Script internal/common/tasks/scripts/build_image.sh	Writes effective BUILDER_IMAGE to /tekton/results/builder-image; when set, converts the pushed image to an OCI dir, runs an embedded Python injector to add automotive.sdv.cloud.redhat.com/builder-image annotation and config label, then pushes the annotated OCI image and cleans up.
Push Artifact Script internal/common/tasks/scripts/push_artifact.sh	Adds builder-image input handling; appends a JSON-escaped automotive.sdv.cloud.redhat.com/builder-image annotation to multi-arch manifest annotations and adds --annotation to single-file ORAS pushes when provided.
Task & Pipeline Specs internal/common/tasks/tasks.go	Introduces builder-image Task params and Pipeline result; wires param/result through prepare-builder, build-automotive-image, push-disk-artifact and push-artifact-registry tasks so downstream steps receive the builder image value.
Controller Provenance internal/controller/imagebuild/controller.go	Reads builder image provenance from pipeline result key builder-image (replacing builder-image-ref).

Sequence Diagram

sequenceDiagram
    participant Pipeline as Build Pipeline
    participant BuildTask as build-image Task
    participant Results as Task Results
    participant PushTask as push-artifact Task
    participant Registry as Container Registry

    Pipeline->>BuildTask: start build (builder image env)
    BuildTask->>BuildTask: capture effective BUILDER_IMAGE
    BuildTask->>Results: write builder-image result
    BuildTask->>BuildTask: if BUILDER_IMAGE set -> create OCI dir and inject annotation/label
    BuildTask->>Registry: push annotated image (via OCI or skopeo)
    Pipeline->>PushTask: start push with builder-image param
    PushTask->>PushTask: include annotation in manifest/config or ORAS push
    PushTask->>Registry: push artifact with annotation
    Registry->>Registry: store annotated artifact

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• use multi layer push #55 — Modifies the same push/image push flow and annotation handling in push_artifact.sh and build_image.sh.

Suggested reviewers

• bkhizgiy

Poem

🐰 I hopped through manifests, small and spry,
I tucked the builder's name where layers lie,
From build to push it travels near,
A tiny tag for all to hear,
Hooray — the image knows who crafted it! 🎉

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'annotate and label bootc artifacts' directly describes the main change: adding annotations and labels to bootc artifacts with builder image information.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

🧹 Recent nitpick comments

internal/common/tasks/scripts/push_artifact.sh (1)

359-361: Unquoted $builder_image_used may break on values with spaces.

When annotation_args is expanded unquoted on line 374 (by design, for word splitting), a builder image value containing spaces would be incorrectly split. This matches the existing pattern for $file_list on line 355, but container image references could theoretically contain special characters. Low risk since image refs rarely have spaces, but worth noting.

♻️ Safer alternative using an array (optional)

If you ever want to harden this, the idiomatic approach is to accumulate arguments in an array rather than a space-delimited string, similar to how build_image.sh uses declare -a arrays.

internal/common/tasks/scripts/build_image.sh (1)

376-411: Embedded Python for OCI manifest manipulation works but is dense and hard to maintain.

The logic correctly updates both the config label and the manifest annotation, recomputes digests, and rewrites blobs. A few observations:

1. No error handling in the Python script — if the OCI layout is unexpected (empty manifests array, missing blobs), the script will fail with a raw traceback. Since set -e is active, this will abort the build, which is the right behavior, but a friendlier error message would help debugging.

2. The cleanup on line 411 (rm -rf "${OCI_DIR:-/tmp/nonexistent}") is good defensive coding against an unset variable.

Consider extracting this Python snippet into a standalone script file for testability and readability in future iterations.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}