What the issue is
Published Scriberr container images do not expose standard OCI provenance labels (especially git revision), making it difficult to map a running container image back to exact source code.
In practice, this prevents operators from quickly answering:
- Which commit is this container running?
- Is runtime behavior ahead/behind a known fix in git?
- Is this digest built from the expected branch/tag?
Why this is a problem
- Slows down production debugging and regression analysis.
- Makes reproducibility and incident response harder.
- Increases support burden (maintainers/users must manually infer code lineage from behavior).
- Prevents deterministic “digest -> commit -> PR” traceability.
Example observed gap
For image ghcr.io/rishikanthc/scriberr-cuda:latest with digest sha256:3babe419f7eb543a69de59071867aa8e6c7415dfb652683f39c4b355513a70e9, container labels did not include org.opencontainers.image.revision, so runtime image could not be directly mapped to a git SHA.
Expected behavior
Every published image should include a minimum OCI label set so users can reliably map container runtime to source:
org.opencontainers.image.sourceorg.opencontainers.image.revisionorg.opencontainers.image.versionorg.opencontainers.image.created
Recommended additional labels:
org.opencontainers.image.urlorg.opencontainers.image.documentationorg.opencontainers.image.licensesorg.opencontainers.image.titleorg.opencontainers.image.description
Suggested values
Use CI/build metadata, for example:
org.opencontainers.image.source: https://github.com/rishikanthc/Scriberrorg.opencontainers.image.revision: full git commit SHA used for buildorg.opencontainers.image.version: release tag or semver (vX.Y.Z) or branch build identifierorg.opencontainers.image.created: RFC3339 UTC timestamp from build pipeline
How to implement (Docker/CI)
Inject OCI labels at build time in Dockerfile and/or CI build command.
Example (Dockerfile):
ARG VCS_REF
ARG BUILD_DATE
ARG VERSION
LABEL org.opencontainers.image.source="https://github.com/rishikanthc/Scriberr" \
org.opencontainers.image.revision="$VCS_REF" \
org.opencontainers.image.version="$VERSION" \
org.opencontainers.image.created="$BUILD_DATE"
Example (build args from CI):
VCS_REF=$(git rev-parse HEAD)BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")VERSION=<tag or release version>
Verification
After publishing, users should be able to run:
docker inspect <container-or-image> --format '{{json .Config.Labels}}'
and see the provenance labels populated, especially org.opencontainers.image.revision.
Acceptance criteria
- All official Scriberr images (including CUDA variants) contain the required OCI provenance labels.
org.opencontainers.image.revision always matches the commit used to build the image.
What the issue is
Published Scriberr container images do not expose standard OCI provenance labels (especially git revision), making it difficult to map a running container image back to exact source code.
In practice, this prevents operators from quickly answering:
Why this is a problem
Example observed gap
For image
ghcr.io/rishikanthc/scriberr-cuda:latestwith digestsha256:3babe419f7eb543a69de59071867aa8e6c7415dfb652683f39c4b355513a70e9, container labels did not includeorg.opencontainers.image.revision, so runtime image could not be directly mapped to a git SHA.Expected behavior
Every published image should include a minimum OCI label set so users can reliably map container runtime to source:
org.opencontainers.image.sourceorg.opencontainers.image.revisionorg.opencontainers.image.versionorg.opencontainers.image.createdRecommended additional labels:
org.opencontainers.image.urlorg.opencontainers.image.documentationorg.opencontainers.image.licensesorg.opencontainers.image.titleorg.opencontainers.image.descriptionSuggested values
Use CI/build metadata, for example:
org.opencontainers.image.source:https://github.com/rishikanthc/Scriberrorg.opencontainers.image.revision: full git commit SHA used for buildorg.opencontainers.image.version: release tag or semver (vX.Y.Z) or branch build identifierorg.opencontainers.image.created: RFC3339 UTC timestamp from build pipelineHow to implement (Docker/CI)
Inject OCI labels at build time in Dockerfile and/or CI build command.
Example (Dockerfile):
Example (build args from CI):
VCS_REF=$(git rev-parse HEAD)BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")VERSION=<tag or release version>Verification
After publishing, users should be able to run:
and see the provenance labels populated, especially
org.opencontainers.image.revision.Acceptance criteria
org.opencontainers.image.revisionalways matches the commit used to build the image.