Add OCI image annotations to gcr.io/projectsigstore/cosign images

[candrews]

Description

I'd love to see OCI image annotations added to the gcr.io/projectsigstore/cosign images (including the -dev ones).

These annotations are useful for people to use manually and for use by tools. For example, Snyk uses them in its UI and Renovate uses them to find release notes.

At least these annotations would be great to set (and suggested values from GitHub's environment variables

• org.opencontainers.image.source=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY
• org.opencontainers.image.revision=$GITHUB_SHA
• org.opencontainers.image.ref.name=$GITHUB_REF
• if $GITHUB_REF_TYPE=tag then org.opencontainers.image.version=$GITHUB_REF_NAME
• org.opencontainers.image.url=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY
• org.opencontainers.image.created=$(date -Iseconds)

Other annotations would be great to add too, of course.

Currently, the only annotations set are org.opencontainers.image.base.digest and org.opencontainers.image.base.name:

$ crane manifest gcr.io/projectsigstore/cosign:v2.4.0  | jq '{ annotations}'
2024/08/21 14:19:50 No matching credentials were found, falling back on anonymous
{
  "annotations": {
    "org.opencontainers.image.base.digest": "sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65",
    "org.opencontainers.image.base.name": "gcr.io/distroless/static-debian12:nonroot"
  }
}