Add support for annotations as an action input.

[AshCorr]

Description

OCI image specification and Buildah supports Annotations in addition to Labels. Repositories such as GHCR rely on OCI Annotations for displaying image metadata like Description and Title about their UIs.

Related Issue(s)

Resolves #127

Checklist

• This PR includes a documentation change
• This PR does not need a documentation change

---

• This PR includes test changes
• This PR's changes are already tested

---

• This change is not user-facing
• This change is a patch change
• This change is a minor change
• This change is a major (breaking) change

Changes made

• Add a new annotations input which passes its arguments as --annotation parameters to Buildah. Requires Image to be built in the OCI format.

[Nicolas-Peiffer]

Hey, this PR is probably a good idea. But here is a couple of things I noticed and that might be of interest for you.

Indeed, while using Red Hat buildah-build GA in replacement of my Kaniko GA, I noticed in my container manifest files that my labels from my own Containerfile (LABEL org.opencontainers.image.) were ignored and overridden by labels that are automatically set by buildah.

Also, I notice that buildah build and labels behave differently when I set --oci=true ("mediaType": "application/vnd.oci.image.manifest.v1+json",) or --oci=false ("mediaType": "application/vnd.docker.distribution.manifest.v2+json",)

Indeed, see this result below from my project testing-github-actions

My Containerfile contains these OCI annotations that I set with the LABEL keyword since there is no other way to set annotation inside a Containerfile (to my knowledge).

# See https://github.com/opencontainers/image-spec/blob/main/annotations.md
# See https://specs.opencontainers.org/image-spec/annotations/
ARG LABEL_CREATED=""
ARG LABEL_AUTHOR="My Email <[email protected]>"
ARG LABEL_URL="ghcr.io/nicolas-peiffer/testing-github-actions"
ARG LABEL_DOCUMENTATION="https://github.com/Nicolas-Peiffer/testing-github-actions"
ARG LABEL_SOURCE="https://github.com/Nicolas-Peiffer/testing-github-actions"
ARG LABEL_VERSION=""
ARG LABEL_REVISION=""
ARG LABEL_VENDOR="My Vendor"
ARG LABEL_LICENSES="MIT"
ARG LABEL_TITLE="My Container Image"
ARG LABEL_REF_NAME=""
ARG LABEL_DESCRIPTION="The purpose of this project is to test github action that build containers"
ARG LABEL_BASE_DIGEST=""
ARG BASE_REGISTRY
ARG BASE_IMAGE
ARG BASE_IMAGE_TAG
ARG LABEL_BASE_NAME="${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_IMAGE_TAG}"
LABEL org.opencontainers.image.created="${LABEL_CREATED}"
LABEL org.opencontainers.image.authors="${LABEL_AUTHOR}"
LABEL org.opencontainers.image.url="${LABEL_URL}"
LABEL org.opencontainers.image.documentation="${LABEL_DOCUMENTATION}"
LABEL org.opencontainers.image.source="${LABEL_SOURCE}"
LABEL org.opencontainers.image.version="${LABEL_VERSION}"
LABEL org.opencontainers.image.revision="${LABEL_REVISION}"
LABEL org.opencontainers.image.vendor="${LABEL_VENDOR}"
LABEL org.opencontainers.image.licenses="${LABEL_LICENSES}"
LABEL org.opencontainers.image.title="${LABEL_TITLE}"
LABEL org.opencontainers.image.ref.name="${LABEL_REF_NAME}"
LABEL org.opencontainers.image.description="${LABEL_DESCRIPTION}"
LABEL org.opencontainers.image.base.digest="${LABEL_BASE_DIGEST}"
LABEL org.opencontainers.image.base.name="${LABEL_BASE_NAME}"

When building with buildah build --oci=false (docker v2 manifest, on the left of my screenshot), I can see in the manifest my labels LABEL from my containerfile. But When building with buildah build --oci=true (oci v1 manifest, on the right of my screenshot), I can see that my labels have been overriden by buildah. In both situation, especially with the OCI v1 manifest, I only have labels and no annotations.

Note: for some labels/annotation like the org.opencontainers.image.created timestamp or digest, I find this a good thing that buildat sets this automatically. But I would like to cherry pick and choose which labels/annotations I want buildah to set, and I want to choose which labels/annotations I want to inherit.

Latest buildah 1.41.0 has some kind of feature like --inherit-annotations=true and --inherit-labels=true.

But github runners for Linux are using Ubuntu 24.04 which is using older version of buildah v1.33.7.

# this is a github runner as of september 2025
Run redhat-actions/buildah-build@v2
/usr/bin/buildah version
  /usr/bin/buildah version
  Version:         1.33.7
  Go Version:      go1.22.2
  Image Spec:      1.1.0-rc.5
  Runtime Spec:    1.1.0
  CNI Spec:        1.0.0
  libcni Version:  
  image Version:   5.29.2
  Git Commit:      
  Built:           Thu Jan  1 00:00:00 1970
  OS/Arch:         linux/amd64
  BuildPlatform:   linux/amd64

So I can not even try to set --inherit-annotations=true/false when using redhat-actions/buildah-build@v2, as the buildah version of the runner is too old.

      - name: Build the OCI image buildah oci true
        id: buildah
        uses: redhat-actions/buildah-build@v2
        with:
          #context: ${{ env.BUILDAH_BUILD_CONTEXT }}
          containerfiles: |
            ${{ env.BASE_CONTAINERFILE_NAME }}
          layers: true
          oci: true
          tags: ${{ steps.docker-metadata.outputs.tags }}
          #labels: ${{ steps.docker-metadata.outputs.labels }}
          extra-args: |
            --created-annotation=true
            --inherit-annotations=true
            --inherit-labels=true
            --unsetannotation "org.opencontainers.image.url"
            --unsetlabel "org.opencontainers.image.url"

[andriisoldatenko]

Can we gladly ask you to review this PR @divyansh42?

or may be @skoved can help here?