Capture source context for build container image

[steren]

Cloud Run will soon display information from the Container Analysis API related to the provenance of the deployed container image.

Because the button literally deploys from GitHub, it would be very useful to capture which GitHub repo and commit were used to build the container, so that users can know if they are up to date.

[jamesward]

Cool. By "capture" you just mean, let the user know more explicitly, or put that info somewhere?

[steren]

I mean automatically send the info the the Container Analysis API.

[ahmetb]

I think this is doable. I havent understood the api fully but I’m assuming it only works with sha256 refs; not tags.
That would likely only work for Dockerfile mode where we can collect the sha256 ref of the image from stdout if docker build cmd.

[steren]

this is what needs to be populated.

In Java, I've been told it's at occurrence.getBuild().getProvenance().getSourceProvenance().getContext().getGit()

[ahmetb]

API is quite damn cryptic but I believe I can GET some of the Occurrences and work my way from there...