set index annotations on imagetools create

crazy-max · crazy-max · commit cd94e3f3347c · 2026-02-19T16:43:11.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
@@ -561,3 +561,27 @@ jobs:
       sbom: true
       sign: ${{ github.event_name != 'pull_request' }}
       target: go-cross-with-contexts
+
+  bake-ghcr-index-annotations:
+    uses: ./.github/workflows/bake.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    with:
+      context: test
+      output: image
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      target: hello-cross
+      set-meta-annotations: true
+      meta-images: ghcr.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=bake-index-annotations-${{ github.run_id }}
+      meta-annotations: |
+        io.github.docker.github-builder.test-index-annotation=bake-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml
@@ -578,3 +578,27 @@ jobs:
         - registry: registry-1-stage.docker.io
           username: ${{ vars.DOCKERHUB_STAGE_USERNAME }}
           password: ${{ secrets.DOCKERHUB_STAGE_TOKEN }}
+
+  build-ghcr-index-annotations:
+    uses: ./.github/workflows/build.yml
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+    with:
+      annotations: |
+        io.github.docker.github-builder.test-index-annotation=build-${{ github.run_id }}
+      file: test/hello.Dockerfile
+      output: image
+      platforms: linux/amd64,linux/arm64
+      push: ${{ github.event_name != 'pull_request' }}
+      sbom: true
+      set-meta-annotations: true
+      meta-images: ghcr.io/docker/github-builder-test
+      meta-tags: |
+        type=raw,value=build-index-annotations-${{ github.run_id }}
+    secrets:
+      registry-auths: |
+        - registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
@@ -948,12 +948,36 @@ jobs:
           INPUT_IMAGE-NAMES: ${{ inputs.meta-images }}
           INPUT_TAG-NAMES: ${{ steps.meta.outputs.tag-names }}
           INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }}
+          INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }}
+          INPUT_META-ANNOTATIONS: ${{ steps.meta.outputs.annotations }}
         with:
           script: |
             const inpPush = core.getBooleanInput('push');
             const inpImageNames = core.getMultilineInput('image-names');
             const inpTagNames = core.getMultilineInput('tag-names');
             const inpBuildOutputs = JSON.parse(core.getInput('build-outputs'));
+            const inpSetMetaAnnotations = core.getBooleanInput('set-meta-annotations');
+            const inpMetaAnnotations = core.getMultilineInput('meta-annotations');
+
+            const toIndexAnnotation = annotation => {
+              const keyEnd = annotation.indexOf('=');
+              const rawKey = keyEnd === -1 ? annotation : annotation.substring(0, keyEnd);
+              const rawValue = keyEnd === -1 ? '' : annotation.substring(keyEnd);
+              const typeSeparator = rawKey.indexOf(':');
+              if (typeSeparator !== -1) {
+                const typeExpr = rawKey.substring(0, typeSeparator);
+                const key = rawKey.substring(typeSeparator + 1);
+                const hasKnownType = typeExpr.split(',').map(type => type.replace(/\[.*\]$/, '')).some(type => ['manifest', 'index', 'manifest-descriptor', 'index-descriptor'].includes(type));
+                if (hasKnownType) {
+                  return `index:${key}${rawValue}`;
+                }
+              }
+              return `index:${annotation}`;
+            };
+            const indexAnnotations = [];
+            if (inpSetMetaAnnotations && inpMetaAnnotations.length > 0) {
+              indexAnnotations.push(...inpMetaAnnotations.filter(annotation => annotation.length > 0).map(toIndexAnnotation));
+            }
             
             const digests = [];
             for (const key of Object.keys(inpBuildOutputs)) {
@@ -972,6 +996,9 @@ jobs:
               for (const tag of inpTagNames) {
                 createArgs.push('-t', `${imageName}:${tag}`);
               }
+              for (const annotation of indexAnnotations) {
+                createArgs.push('--annotation', annotation);
+              }
               for (const digest of digests) {
                 createArgs.push(digest);
               }
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -801,12 +801,38 @@ jobs:
           INPUT_IMAGE-NAMES: ${{ inputs.meta-images }}
           INPUT_TAG-NAMES: ${{ steps.meta.outputs.tag-names }}
           INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }}
+          INPUT_ANNOTATIONS: ${{ inputs.annotations }}
+          INPUT_SET-META-ANNOTATIONS: ${{ inputs.set-meta-annotations }}
+          INPUT_META-ANNOTATIONS: ${{ steps.meta.outputs.annotations }}
         with:
           script: |
             const inpPush = core.getBooleanInput('push');
             const inpImageNames = core.getMultilineInput('image-names');
             const inpTagNames = core.getMultilineInput('tag-names');
             const inpBuildOutputs = JSON.parse(core.getInput('build-outputs'));
+            const inpAnnotations = core.getMultilineInput('annotations');
+            const inpSetMetaAnnotations = core.getBooleanInput('set-meta-annotations');
+            const inpMetaAnnotations = core.getMultilineInput('meta-annotations');
+
+            const toIndexAnnotation = annotation => {
+              const keyEnd = annotation.indexOf('=');
+              const rawKey = keyEnd === -1 ? annotation : annotation.substring(0, keyEnd);
+              const rawValue = keyEnd === -1 ? '' : annotation.substring(keyEnd);
+              const typeSeparator = rawKey.indexOf(':');
+              if (typeSeparator !== -1) {
+                const typeExpr = rawKey.substring(0, typeSeparator);
+                const key = rawKey.substring(typeSeparator + 1);
+                const hasKnownType = typeExpr.split(',').map(type => type.replace(/\[.*\]$/, '')).some(type => ['manifest', 'index', 'manifest-descriptor', 'index-descriptor'].includes(type));
+                if (hasKnownType) {
+                  return `index:${key}${rawValue}`;
+                }
+              }
+              return `index:${annotation}`;
+            };
+            if (inpSetMetaAnnotations && inpMetaAnnotations.length > 0) {
+              inpAnnotations.push(...inpMetaAnnotations);
+            }
+            const indexAnnotations = inpAnnotations.filter(annotation => annotation.length > 0).map(toIndexAnnotation);
             
             const digests = [];
             for (const key of Object.keys(inpBuildOutputs)) {
@@ -825,6 +851,9 @@ jobs:
               for (const tag of inpTagNames) {
                 createArgs.push('-t', `${imageName}:${tag}`);
               }
+              for (const annotation of indexAnnotations) {
+                createArgs.push('--annotation', annotation);
+              }
               for (const digest of digests) {
                 createArgs.push(digest);
               }
