feat: add org.opencontainers.image.revision OCI label to all container images

Add GIT_COMMIT build arg and org.opencontainers.image.revision label to
all 7 production Dockerfiles so the source commit SHA is embedded in
every container image. This enables identifying deployed code via
`skopeo inspect` without pulling the image.

Also passes GIT_COMMIT in CI workflows (components-build-deploy.yml,
prod-release-deploy.yaml) and all Makefile build targets.

Closes #1269

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: 2 people

.github/workflows/components-build-deploy.yml

@@ -124,7 +124,9 @@ jobs:
           platforms: ${{ matrix.arch.platform }}
           push: true
           tags: ${{ matrix.component.image }}:${{ github.sha }}-${{ matrix.arch.suffix }}
-          build-args: AMBIENT_VERSION=${{ github.sha }}
+          build-args: |
+            AMBIENT_VERSION=${{ github.sha }}
+            GIT_COMMIT=${{ github.sha }}
           cache-from: type=gha,scope=${{ matrix.component.name }}-${{ matrix.arch.suffix }}
           cache-to: type=gha,mode=max,scope=${{ matrix.component.name }}-${{ matrix.arch.suffix }}
 
@@ -137,7 +139,9 @@ jobs:
           platforms: ${{ matrix.arch.platform }}
           push: true
           tags: ${{ matrix.component.image }}:pr-${{ github.event.pull_request.number }}-${{ matrix.arch.suffix }}
-          build-args: AMBIENT_VERSION=${{ github.sha }}
+          build-args: |
+            AMBIENT_VERSION=${{ github.sha }}
+            GIT_COMMIT=${{ github.sha }}
           cache-from: type=gha,scope=${{ matrix.component.name }}-${{ matrix.arch.suffix }}
           cache-to: type=gha,mode=max,scope=${{ matrix.component.name }}-${{ matrix.arch.suffix }}
 

.github/workflows/prod-release-deploy.yaml

@@ -294,7 +294,9 @@ jobs:
           platforms: ${{ matrix.arch.platform }}
           push: true
           tags: ${{ matrix.component.image }}:${{ needs.release.outputs.new_tag }}-${{ matrix.arch.suffix }}
-          build-args: AMBIENT_VERSION=${{ needs.release.outputs.new_tag }}
+          build-args: |
+            AMBIENT_VERSION=${{ needs.release.outputs.new_tag }}
+            GIT_COMMIT=${{ github.sha }}
           cache-from: type=gha,scope=${{ matrix.component.name }}-${{ matrix.arch.suffix }}
           cache-to: type=gha,mode=max,scope=${{ matrix.component.name }}-${{ matrix.arch.suffix }}
 

Makefile

@@ -168,43 +168,50 @@ build-all: build-frontend build-backend build-operator build-runner build-state-
 build-frontend: ## Build frontend image
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building frontend with $(CONTAINER_ENGINE)..."
 	@cd components/frontend && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(FRONTEND_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Frontend built: $(FRONTEND_IMAGE)"
 
 build-backend: ## Build backend image
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building backend with $(CONTAINER_ENGINE)..."
 	@cd components/backend && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
 		--build-arg AMBIENT_VERSION=$(shell git describe --tags --always --dirty) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(BACKEND_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Backend built: $(BACKEND_IMAGE)"
 
 build-operator: ## Build operator image
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building operator with $(CONTAINER_ENGINE)..."
 	@cd components/operator && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(OPERATOR_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Operator built: $(OPERATOR_IMAGE)"
 
 build-runner: ## Build Claude Code runner image
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building runner with $(CONTAINER_ENGINE)..."
 	@cd components/runners/ambient-runner && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(RUNNER_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Runner built: $(RUNNER_IMAGE)"
 
 build-state-sync: ## Build state-sync image for S3 persistence
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building state-sync with $(CONTAINER_ENGINE)..."
 	@cd components/runners/state-sync && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(STATE_SYNC_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) State-sync built: $(STATE_SYNC_IMAGE)"
 
 build-public-api: ## Build public API gateway image
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building public-api with $(CONTAINER_ENGINE)..."
 	@cd components/public-api && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(PUBLIC_API_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) Public API built: $(PUBLIC_API_IMAGE)"
 
 build-api-server: ## Build ambient API server image
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Building ambient-api-server with $(CONTAINER_ENGINE)..."
 	@cd components/ambient-api-server && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) $(BUILD_FLAGS) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(API_SERVER_IMAGE) .
 	@echo "$(COLOR_GREEN)✓$(COLOR_RESET) API server built: $(API_SERVER_IMAGE)"
 
@@ -347,7 +354,7 @@ local-status: check-kubectl ## Show status of local deployment
 
 local-reload-api-server: check-local-context ## Rebuild and reload ambient-api-server only
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Rebuilding ambient-api-server..."
-	@$(CONTAINER_ENGINE) build $(PLATFORM_FLAG) -t $(API_SERVER_IMAGE) components/ambient-api-server >/dev/null 2>&1
+	@$(CONTAINER_ENGINE) build $(PLATFORM_FLAG) --build-arg GIT_COMMIT=$(shell git rev-parse HEAD) -t $(API_SERVER_IMAGE) components/ambient-api-server >/dev/null 2>&1
 	@$(CONTAINER_ENGINE) tag $(API_SERVER_IMAGE) localhost/$(API_SERVER_IMAGE) 2>/dev/null || true
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Loading image into kind cluster ($(KIND_CLUSTER_NAME))..."
 	@$(CONTAINER_ENGINE) save localhost/$(API_SERVER_IMAGE) | \
@@ -962,6 +969,7 @@ kind-reload-backend: check-kind check-kubectl check-local-context ## Rebuild and
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Rebuilding backend..."
 	@cd components/backend && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) \
 		--build-arg AMBIENT_VERSION=$(shell git describe --tags --always --dirty) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(BACKEND_IMAGE) . $(QUIET_REDIRECT)
 	@$(CONTAINER_ENGINE) tag $(BACKEND_IMAGE) localhost/$(BACKEND_IMAGE) 2>/dev/null || true
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Loading image into kind cluster ($(KIND_CLUSTER_NAME))..."
@@ -976,6 +984,7 @@ kind-reload-backend: check-kind check-kubectl check-local-context ## Rebuild and
 kind-reload-frontend: check-kind check-kubectl check-local-context ## Rebuild and reload frontend only (kind)
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Rebuilding frontend..."
 	@cd components/frontend && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(FRONTEND_IMAGE) . $(QUIET_REDIRECT)
 	@$(CONTAINER_ENGINE) tag $(FRONTEND_IMAGE) localhost/$(FRONTEND_IMAGE) 2>/dev/null || true
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Loading image into kind cluster ($(KIND_CLUSTER_NAME))..."
@@ -990,6 +999,7 @@ kind-reload-frontend: check-kind check-kubectl check-local-context ## Rebuild an
 kind-reload-operator: check-kind check-kubectl check-local-context ## Rebuild and reload operator only (kind)
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Rebuilding operator..."
 	@cd components/operator && $(CONTAINER_ENGINE) build $(PLATFORM_FLAG) \
+		--build-arg GIT_COMMIT=$(shell git rev-parse HEAD) \
 		-t $(OPERATOR_IMAGE) . $(QUIET_REDIRECT)
 	@$(CONTAINER_ENGINE) tag $(OPERATOR_IMAGE) localhost/$(OPERATOR_IMAGE) 2>/dev/null || true
 	@echo "$(COLOR_BLUE)▶$(COLOR_RESET) Loading image into kind cluster ($(KIND_CLUSTER_NAME))..."

components/ambient-api-server/Dockerfile

@@ -18,6 +18,8 @@ RUN go build -ldflags="-s -w" -o ambient-api-server ./cmd/ambient-api-server
 # Runtime stage
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
+ARG GIT_COMMIT=unknown
+
 RUN \
     microdnf install -y \
     util-linux \
@@ -33,4 +35,5 @@ ENTRYPOINT ["/usr/local/bin/ambient-api-server", "serve"]
 LABEL name="ambient-api-server" \
       version="0.0.1" \
       summary="Ambient API Server" \
-      description="REST API server for the Ambient Code Platform"
+      description="REST API server for the Ambient Code Platform" \
+      org.opencontainers.image.revision=$GIT_COMMIT

components/backend/Dockerfile

@@ -21,6 +21,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w -X main.GitVersion=${AMBIE
 # Final stage
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
+ARG GIT_COMMIT=unknown
+
 RUN microdnf install -y git && microdnf clean all
 WORKDIR /app
 
@@ -39,4 +41,6 @@ USER 1001
 EXPOSE 8080
 
 # Command to run the executable
+LABEL org.opencontainers.image.revision=$GIT_COMMIT
+
 CMD ["./main"]

components/frontend/Dockerfile

@@ -32,6 +32,8 @@ RUN npm run build
 # Production image, copy all the files and run next
 FROM registry.access.redhat.com/ubi9/nodejs-20-minimal AS runner
 
+ARG GIT_COMMIT=unknown
+
 WORKDIR /app
 
 ENV NODE_ENV=production
@@ -64,4 +66,6 @@ ENV HOSTNAME="0.0.0.0"
 
 # server.js is created by next build from the standalone output
 # https://nextjs.org/docs/pages/api-reference/next-config-js/output
+LABEL org.opencontainers.image.revision=$GIT_COMMIT
+
 CMD ["node", "server.js"]

components/operator/Dockerfile

@@ -27,6 +27,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o operator .
 # Final stage
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
+ARG GIT_COMMIT=unknown
+
 WORKDIR /app
 
 RUN microdnf install -y procps && microdnf clean all
@@ -37,6 +39,8 @@ COPY --from=builder /app/operator .
 # Set executable permissions and make accessible to any user
 RUN chmod +x ./operator && chmod 775 /app
 
+LABEL org.opencontainers.image.revision=$GIT_COMMIT
+
 USER 1001
 
 # Use ENTRYPOINT so that args from K8s are appended, not replaced

components/public-api/Dockerfile

@@ -18,6 +18,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o public-api .
 # Runtime stage
 FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7
 
+ARG GIT_COMMIT=unknown
+
 WORKDIR /app
 
 # Copy binary from builder
@@ -36,4 +38,6 @@ HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD curl -sf http://localhost:8081/health || exit 1
 
 # Run the binary
+LABEL org.opencontainers.image.revision=$GIT_COMMIT
+
 ENTRYPOINT ["./public-api"]

components/runners/ambient-runner/Dockerfile

@@ -1,5 +1,7 @@
 FROM registry.access.redhat.com/ubi10/ubi@sha256:f573194e8e5231f1c9340c497e1f8d9aa9dbb42b2849e60341e34f50eec9477e
 
+ARG GIT_COMMIT=unknown
+
 USER 0
 
 # --- Pinned tool versions (bumped by runner-tool-versions workflow) ---
@@ -69,4 +71,6 @@ EXPOSE 8001
 
 # Start FastAPI AG-UI server using uvicorn
 # The main module is installed as part of the package
+LABEL org.opencontainers.image.revision=$GIT_COMMIT
+
 CMD ["/bin/bash", "-c", "umask 0022 && cd /app/ambient-runner && uvicorn main:app --host 0.0.0.0 --port 8001"]

components/runners/state-sync/Dockerfile

@@ -1,5 +1,7 @@
 FROM alpine:3.21
 
+ARG GIT_COMMIT=unknown
+
 RUN apk add --no-cache rclone git jq bash sqlite
 
 # Copy scripts
@@ -10,4 +12,6 @@ COPY sync.sh /usr/local/bin/sync.sh
 RUN chmod +x /usr/local/bin/hydrate.sh /usr/local/bin/sync.sh
 
 # Default to sync.sh (used by sidecar)
+LABEL org.opencontainers.image.revision=$GIT_COMMIT
+
 ENTRYPOINT ["/usr/local/bin/sync.sh"]