feat(packages): add OCI metadata labels (#899)

wuhuizuo · web-flow · commit 8fffed320830 · 2026-02-12T09:05:37.000Z
## Summary - add OCI standard labels to package artifacts and image builds - propagate component name and default license into build context ## Testing - ./.github/scripts/ci.sh Refs #493
diff --git a/packages/scripts/build-package-artifacts.sh.tmpl b/packages/scripts/build-package-artifacts.sh.tmpl
@@ -245,12 +245,20 @@ function prepare_artifact_config() {
     local save_file="$1"
 
     :> "$save_file"
-    yq -p json -o json -i '.["org.opencontainers.image.version"] = "{{ .version }}"' "$save_file"
-    yq -p json -o json -i '.["net.pingcap.tibuild.os"] = "{{ .os }}"' "$save_file"
-    yq -p json -o json -i '.["net.pingcap.tibuild.architecture"] = "{{ .arch }}"' "$save_file"
-    yq -p json -o json -i '.["net.pingcap.tibuild.profile"] = "{{ .profile }}"' "$save_file"
-    yq -p json -o json -i '.["net.pingcap.tibuild.git-sha"] = "{{ .git.sha }}"' "$save_file"
-    yq -p json -o json -i '.["net.pingcap.tibuild.tiup"] = []' "$save_file"
+    # Inject OCI standard metadata labels and PingCAP build labels.
+    yq -p json -o json -i '
+        .["org.opencontainers.image.version"] = "{{ .version }}" |
+        .["org.opencontainers.image.title"] = "{{ .component }}" |
+        .["org.opencontainers.image.licenses"] = "{{ .license | default "Apache-2.0" }}" |
+        .["org.opencontainers.image.source"] = "{{ .git.url }}" |
+        .["org.opencontainers.image.ref.name"] = "{{ .git.ref }}" |
+        .["org.opencontainers.image.revision"] = "{{ .git.sha }}" |
+        .["net.pingcap.tibuild.os"] = "{{ .os }}" |
+        .["net.pingcap.tibuild.architecture"] = "{{ .arch }}" |
+        .["net.pingcap.tibuild.profile"] = "{{ .profile }}" |
+        .["net.pingcap.tibuild.git-sha"] = "{{ .git.sha }}" |
+        .["net.pingcap.tibuild.tiup"] = []
+    ' "$save_file"
 
     {{- if has (coll.Slice "release" "next-gen") .profile }}
     {{- range (.artifacts | jq `map(select((.type == "file" or .type == null) and .if != false and .tiup != null))`) }}
diff --git a/packages/scripts/build-package-images.sh.tmpl b/packages/scripts/build-package-images.sh.tmpl
@@ -150,7 +150,19 @@ build_and_push_images() {
 
     ################# build and push image ################
     tag="{{ index $tags 0 }}"
-    kaniko_global_options="--cleanup --cache=false --label net.pingcap.tibuild.new=yes --label net.pingcap.tibuild.git-sha={{.git.sha}}"
+    # Inject OCI standard metadata labels and PingCAP build labels.
+    kaniko_global_options="--cleanup --cache=false"
+    kaniko_global_options="$kaniko_global_options --label net.pingcap.tibuild.new=yes"
+    {{ if .git.sha }}
+    kaniko_global_options="$kaniko_global_options --label net.pingcap.tibuild.git-sha={{ .git.sha }}"
+    {{ end }}
+    kaniko_global_options="$kaniko_global_options --label org.opencontainers.image.title={{ .component }}"
+    kaniko_global_options="$kaniko_global_options --label org.opencontainers.image.licenses={{ .license | default "Apache-2.0" }}"
+    kaniko_global_options="$kaniko_global_options --label org.opencontainers.image.source={{ .git.url }}"
+    kaniko_global_options="$kaniko_global_options --label org.opencontainers.image.ref.name={{ .git.ref }}"
+    {{ if .git.sha }}
+    kaniko_global_options="$kaniko_global_options --label org.opencontainers.image.revision={{ .git.sha }}"
+    {{ end }}
     :> "$digests_file"
 {{ range (.artifacts | jq `map(select(.type == "image" and .if != false))`) }}
     # >>>>>>>>>>>>>>>> image: {{ .name }} >>>>>>>>>>>>>>>>
diff --git a/packages/scripts/gen-package-artifacts-with-config.sh b/packages/scripts/gen-package-artifacts-with-config.sh
@@ -48,13 +48,17 @@ function main() {
         echo "❌ No package routes matched for the target($target_info)." >&2
         exit 1
     fi
-    yq ".routers[0].git = .git" release-package.yaml | yq ".routers[0]" >release-router.yaml
+    yq ".routers[0].git = .git | .routers[0].license = .license" release-package.yaml | yq ".routers[0]" >release-router.yaml
 
     # generate package build script
-    yq -i ".os = \"$os\"" release-router.yaml
-    yq -i ".arch = \"$arch\"" release-router.yaml
-    yq -i ".profile = \"$profile\"" release-router.yaml
-    yq -i ".version = \"$version\"" release-router.yaml
+    yq -i "
+        .component = \"$component\" |
+        .license = (.license // \"Apache-2.0\") |
+        .os = \"$os\" |
+        .arch = \"$arch\" |
+        .profile = \"$profile\" |
+        .version = \"$version\"
+    " release-router.yaml
     yq -i ".steps = .steps[.profile]" release-router.yaml
     yq -i ".steps = (.steps | map(select(.os == null or .os == \"$os\")))" release-router.yaml
     yq -i ".steps = (.steps | map(select(.arch == null or .arch == \"$arch\")))" release-router.yaml
diff --git a/packages/scripts/gen-package-images-with-config.sh b/packages/scripts/gen-package-images-with-config.sh
@@ -54,12 +54,16 @@ function main() {
         echo "❌ No package routes matched for the target($target_info)."
         exit 1
     fi
-    yq ".routers[0].git = .git" release-package.yaml | yq ".routers[0]" >release-router.yaml
+    yq ".routers[0].git = .git | .routers[0].license = .license" release-package.yaml | yq ".routers[0]" >release-router.yaml
 
     # generate package build script
-    yq -i ".os = \"$os\"" release-router.yaml
-    yq -i ".arch = \"$arch\"" release-router.yaml
-    yq -i ".profile = \"$profile\"" release-router.yaml
+    yq -i "
+        .component = \"$component\" |
+        .license = (.license // \"Apache-2.0\") |
+        .os = \"$os\" |
+        .arch = \"$arch\" |
+        .profile = \"$profile\"
+    " release-router.yaml
     yq -i ".steps = .steps[.profile]" release-router.yaml
     yq -i ".steps = (.steps | map(select(.os == null or .os == \"$os\")))" release-router.yaml
     yq -i ".steps = (.steps | map(select(.arch == null or .arch == \"$arch\")))" release-router.yaml
