Remove SOURCE_DATE_EPOCH from all our builds

.test/meta-commands/out.sh

@@ -3,26 +3,17 @@
 
 # </pull>
 # <build>
-SOURCE_DATE_EPOCH=1700741054 \
-	docker buildx build --progress=plain \
+docker buildx build --progress=plain \
 	--provenance=mode=max,builder-id='https://github.com/docker-library' \
 	--output '"type=oci","dest=temp.tar"' \
-	--annotation 'org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
-	--annotation 'org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \
-	--annotation 'org.opencontainers.image.created=2023-11-23T12:04:14Z' \
-	--annotation 'org.opencontainers.image.version=24.0.7-cli' \
-	--annotation 'org.opencontainers.image.url=https://hub.docker.com/_/docker' \
-	--annotation 'com.docker.official-images.bashbrew.arch=amd64' \
-	--annotation 'org.opencontainers.image.base.name=alpine:3.18' \
-	--annotation 'org.opencontainers.image.base.digest=sha256:d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.created=1970-01-01T00:00:00Z' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.version=24.0.7-cli' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.url=https://hub.docker.com/_/docker' \
-	--annotation 'manifest-descriptor:com.docker.official-images.bashbrew.arch=amd64' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.base.name=alpine:3.18' \
-	--annotation 'manifest-descriptor:org.opencontainers.image.base.digest=sha256:d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.source=https://github.com/docker-library/docker.git#6d541d27b5dd12639e5a33a675ebca04d3837d74:24/cli' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.revision=6d541d27b5dd12639e5a33a675ebca04d3837d74' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.created=1970-01-01T00:00:00Z' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.version=24.0.7-cli' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.url=https://hub.docker.com/_/docker' \
+	--annotation 'manifest,manifest-descriptor:com.docker.official-images.bashbrew.arch=amd64' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.base.name=alpine:3.18' \
+	--annotation 'manifest,manifest-descriptor:org.opencontainers.image.base.digest=sha256:d695c3de6fcd8cfe3a6222b0358425d40adfd129a8a47c3416faff1a8aece389' \
 	--tag 'docker:24.0.7-cli' \
 	--tag 'docker:24.0-cli' \
 	--tag 'docker:24-cli' \
@@ -64,8 +55,7 @@ docker pull 'mcr.microsoft.com/windows/servercore@sha256:d4ab2dd7d3d0fce6edc5df4
 docker tag 'mcr.microsoft.com/windows/servercore@sha256:d4ab2dd7d3d0fce6edc5df459565a4c96bbb1d0148065b215ab5ddcab1e42eb4' 'mcr.microsoft.com/windows/servercore:ltsc2022'
 # </pull>
 # <build>
-SOURCE_DATE_EPOCH=1700741054 \
-	DOCKER_BUILDKIT=0 \
+DOCKER_BUILDKIT=0 \
 	docker build \
 	--tag 'docker:24.0.7-windowsservercore-ltsc2022' \
 	--tag 'docker:24.0-windowsservercore-ltsc2022' \

meta.jq

@@ -79,7 +79,15 @@ def build_annotations($buildUrl):
 		# https://github.com/opencontainers/image-spec/blob/v1.1.0/annotations.md#pre-defined-annotation-keys
 		"org.opencontainers.image.source": $buildUrl,
 		"org.opencontainers.image.revision": .source.entries[0].GitCommit,
-		"org.opencontainers.image.created": (.source.entries[0].SOURCE_DATE_EPOCH | strftime("%FT%TZ")), # see notes below about image index vs image manifest
+		"org.opencontainers.image.created": (
+			if .source.entries[0].Builder == "oci-import" then
+				.source.entries[0].SOURCE_DATE_EPOCH
+			else
+				env.SOURCE_DATE_EPOCH // now
+				| tonumber
+			end
+			| strftime("%FT%TZ")
+		),
 
 		# TODO come up with less assuming values here? (Docker Hub assumption, tag ordering assumption)
 		"org.opencontainers.image.version": ( # value of the first image tag
@@ -138,7 +146,6 @@ def build_command:
 		| [
 			(
 				[
-					@sh "SOURCE_DATE_EPOCH=\(.source.entries[0].SOURCE_DATE_EPOCH)",
 					# TODO EXPERIMENTAL_BUILDKIT_SOURCE_POLICY=<(jq ...)
 					"docker buildx build --progress=plain",
 					@sh "--provenance=mode=max,builder-id=\(buildkit_provenance_builder_id)",
@@ -156,24 +163,8 @@ def build_command:
 					),
 					(
 						build_annotations($buildUrl)
-						| to_entries
-						# separate loops so that "image manifest" annotations are grouped separate from the index/descriptor annotations (easier to read)
-						| (
-							.[]
-							| @sh "--annotation \(.key + "=" + .value)"
-						),
-						(
-							.[]
-							| @sh "--annotation \(
-								"manifest-descriptor:" + .key + "="
-								+ if .key == "org.opencontainers.image.created" then
-									# the "current" time breaks reproducibility (for the purposes of build verification), so we put "now" in the image index but "SOURCE_DATE_EPOCH" in the image manifest (which is the thing we'd ideally like to have reproducible, eventually)
-									(env.SOURCE_DATE_EPOCH // now) | tonumber | strftime("%FT%TZ")
-									# (this assumes the actual build is going to happen shortly after generating the command)
-								else .value end
-							)",
-							empty
-						)
+						| to_entries[]
+						| @sh "--annotation \("manifest,manifest-descriptor:\(.key + "=" + .value)")"
 					),
 					(
 						(
@@ -229,7 +220,6 @@ def build_command:
 		| [
 			(
 				[
-					@sh "SOURCE_DATE_EPOCH=\(.source.entries[0].SOURCE_DATE_EPOCH)",
 					"DOCKER_BUILDKIT=0",
 					"docker build",
 					(