Chainguard annotations are, but should not be, propagated to multi-platform manifest

[MikeSpreitzer]

When I ko build a multi-platform manifest, my manifest ends up with annotations attributing it to chainguard. Here is what I found:

{"org.opencontainers.image.authors": "Chainguard Team https://www.chainguard.dev/",
 "org.opencontainers.image.base.digest": "sha256:fce1fdce595332afe7f339303ae288c349c4e4139d926f8c7ccf4b7ca2911553",
 "org.opencontainers.image.base.name": "cgr.dev/chainguard/static:latest",
 "org.opencontainers.image.source": "https://github.com/chainguard-images/images/tree/main/images/static",
 "org.opencontainers.image.url": "https://edu.chainguard.dev/chainguard/chainguard-images/reference/static/"}

[cpanato]

if you don't specify the base image that you want to use in your ko build it will use a default one which is cgr.dev/chainguard/static:latest you can check where we define that in https://github.com/ko-build/ko/blob/main/pkg/commands/options/build.go#L33

[MikeSpreitzer]

This is not a question. This is a bug. The problem is not the annotations that identify the base image. The problem is the other annotations.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.

[peterhirn]

Reopen, eg. chainguard labels mixed in with my labels

"Labels": {
    "org.opencontainers.image.authors": "Chainguard Team https://www.chainguard.dev/",
    "org.opencontainers.image.created": "2024-09-09T05:27:49Z",
    "org.opencontainers.image.licenses": "MIT",
    "org.opencontainers.image.revision": "f97aa24922679eeabdf6d9e4b219c7cd889b4685",
    "org.opencontainers.image.source": "https://github.com/phi-ag/mta-sts-exporter",
    "org.opencontainers.image.url": "https://images.chainguard.dev/directory/image/static/overview",
    "org.opencontainers.image.vendor": "Chainguard",
    "org.opencontainers.image.version": "1.7.36"
}

Build
.ko.yaml