From e5e930d3811af6aa6a01d75defe3436bf080ac12 Mon Sep 17 00:00:00 2001
From: Offending Commit <offendingcommit@gmail.com>
Date: Fri, 29 May 2026 11:05:30 -0500
Subject: [PATCH] build(docker): bake org.opencontainers.image.source into the
 image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The canonical, build-tool-independent way GHCR links a container package
to its repo is a Dockerfile LABEL baked into the image config — not
buildx/metadata-action annotations. Add it so freshly-created packages
auto-connect.

Note: GHCR evaluates the source at package CREATION, so this links new
packages; an already-orphaned package needs a one-time manual connect
(or delete + re-publish) regardless.

Type build → no version bump.
---
 Dockerfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 8c15d47..2dd4001 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -30,6 +30,12 @@ RUN pnpm --filter @openconcho/web build
 # under a read-only filesystem with cap_drop ALL.
 FROM nginxinc/nginx-unprivileged:alpine
 
+# Baked into the image config — the canonical, build-tool-independent signal GHCR
+# reads to connect the published package to this repo. Evaluated at package
+# creation, so it links freshly-created packages without relying on buildx
+# annotation levels.
+LABEL org.opencontainers.image.source="https://github.com/offendingcommit/openconcho"
+
 COPY --chown=101:101 --from=builder /app/packages/web/dist /usr/share/nginx/html
 # Rendered to /etc/nginx/conf.d/default.conf by the image's envsubst entrypoint.
 COPY --chown=101:101 docker/nginx.conf.template /etc/nginx/templates/default.conf.template