From 4ad6686fa80d02835bf5feb84031c88e691a7b25 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Mon, 24 Feb 2025 12:18:24 +1000
Subject: [PATCH 01/11] Improving provenance of image

Using native action to login to ghcr.io
Replaced multiple tagging commands with a single one
Using build-push-action instead of script
This adds the provenance by default, see https://docs.docker.com/build/ci/github-actions/attestations/#default-provenance
This given the image a better score in DockerHub scout health score
---
 .github/workflows/build-containers.yml        | 47 +++++++++----------
 .github/workflows/build-db-container.yml      |  8 +++-
 .../workflows/container-integration-test.yml  |  8 +++-
 .github/workflows/push-container-images.yml   | 26 +++++-----
 src/ServiceControl.Audit/Dockerfile           | 20 +++++---
 src/ServiceControl.Monitoring/Dockerfile      | 20 +++++---
 src/ServiceControl/Dockerfile                 | 21 ++++++---
 7 files changed, 90 insertions(+), 60 deletions(-)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 8f25d73b97..1a01f75b04 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -12,13 +12,10 @@ jobs:
         include:
           - name: servicecontrol
             project: ServiceControl
-            description: ServiceControl error instance
           - name: servicecontrol-audit
             project: ServiceControl.Audit
-            description: ServiceControl audit instance
           - name: servicecontrol-monitoring
             project: ServiceControl.Monitoring
-            description: ServiceControl monitoring instance
       fail-fast: false
     steps:
       - name: Check for secrets
@@ -38,26 +35,26 @@ jobs:
         with:
           version: ${{ env.MinVerVersion }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.9.0
+        uses: docker/setup-buildx-action@v3
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build & inspect image
-        env:
-          TAG_NAME: ${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || env.MinVerVersion }}
-        run: |
-          docker buildx build --push --tag ghcr.io/particular/${{ matrix.name }}:${{ env.TAG_NAME }} \
-              --file src/${{ matrix.project }}/Dockerfile \
-              --build-arg VERSION=${{ env.MinVerVersion }} \
-              --annotation "index:org.opencontainers.image.title=${{ matrix.name }}" \
-              --annotation "index:org.opencontainers.image.description=${{ matrix.description }}" \
-              --annotation "index:org.opencontainers.image.created=$(date '+%FT%TZ')" \
-              --annotation "index:org.opencontainers.image.revision=${{ github.sha }}" \
-              --annotation "index:org.opencontainers.image.authors=Particular Software" \
-              --annotation "index:org.opencontainers.image.vendor=Particular Software" \
-              --annotation "index:org.opencontainers.image.version=${{ env.MinVerVersion }}" \
-              --annotation "index:org.opencontainers.image.source=https://github.com/${{ github.repository }}/tree/${{ github.sha }}" \
-              --annotation "index:org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}" \
-              --annotation "index:org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/" \
-              --annotation "index:org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra" \
-              --platform linux/arm64,linux/amd64 .
-          docker buildx imagetools inspect ghcr.io/particular/${{ matrix.name }}:${{ env.TAG_NAME }}
\ No newline at end of file
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Get current date
+        id: date
+        run: echo "date=$(date '+%FT%TZ')" >> $GITHUB_OUTPUT
+      - name: Build and push image to GitHub container registry
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          sbom: true
+          build-args: |
+            VERSION=${{ env.MinVerVersion }}
+            SHA=${{ github.sha }}
+            CREATED=${{ steps.date.outputs.date }}
+          file: src/${{ matrix.project }}/Dockerfile
+          tags: ghcr.io/particular/${{ matrix.name }}:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || env.MinVerVersion }}
diff --git a/.github/workflows/build-db-container.yml b/.github/workflows/build-db-container.yml
index 785d6ab9bb..9ba5760cf1 100644
--- a/.github/workflows/build-db-container.yml
+++ b/.github/workflows/build-db-container.yml
@@ -24,8 +24,14 @@ jobs:
         uses: ./.github/actions/validate-version
         with:
           version: ${{ env.MinVerVersion }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Install Docker arm64 emulation
         run: docker run --privileged --rm tonistiigi/binfmt --install arm64
       - name: Build images
diff --git a/.github/workflows/container-integration-test.yml b/.github/workflows/container-integration-test.yml
index 4f90d5543a..dc4bf6b336 100644
--- a/.github/workflows/container-integration-test.yml
+++ b/.github/workflows/container-integration-test.yml
@@ -56,9 +56,13 @@ jobs:
       - name: Run MinVer
         uses: Particular/run-minver-action@v1.0.0
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3.3.0
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/.github/workflows/push-container-images.yml b/.github/workflows/push-container-images.yml
index 5c2dae7fea..368d7c2e73 100644
--- a/.github/workflows/push-container-images.yml
+++ b/.github/workflows/push-container-images.yml
@@ -22,28 +22,32 @@ jobs:
         with:
           version: ${{ inputs.version }}
       - name: Log in to GitHub container registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v3.3.0
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
       - name: Publish to Docker Hub
         run: |
           $containers = @('servicecontrol', 'servicecontrol-audit', 'servicecontrol-monitoring', 'servicecontrol-ravendb')
           $tags = "${{ steps.validate.outputs.container-tags }}" -Split ','
           $sourceTag = "${{ inputs.version }}"
 
-          foreach ($tag in $tags)
+          foreach($name in $containers)
           {
-            foreach($name in $containers)
-            {
-              Write-Output "::group::Pushing $($name):$($tag)"
-              $cmd = "docker buildx imagetools create --tag particular/$($name):$($tag) ghcr.io/particular/$($name):$($sourceTag)"
-              Write-Output "Command: $cmd"
-              Invoke-Expression $cmd
-              Write-Output "::endgroup::"
-            }
+            Write-Output "::group::Pushing $name with $tags tags"
+            $tagsCLI = $tags -replace "^", "--tag particular/${name}:"
+            $cmd = "docker buildx imagetools create $tagsCLI ghcr.io/particular/${name}:$sourceTag"
+            Write-Output "Command: $cmd"
+            Invoke-Expression $cmd
+            Write-Output "::endgroup::"
           }
       - name: Update Docker Hub Description - ServiceControl
         if: ${{ steps.validate.outputs.latest == 'true' }}
diff --git a/src/ServiceControl.Audit/Dockerfile b/src/ServiceControl.Audit/Dockerfile
index a846fc2a1c..020d03e1a7 100644
--- a/src/ServiceControl.Audit/Dockerfile
+++ b/src/ServiceControl.Audit/Dockerfile
@@ -11,15 +11,21 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
 ARG VERSION
+ARG SHA=unknown
+ARG CREATED=2000-01-01T00:00:00Z
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl \
-      org.opencontainers.image.authors="Particular Software" \
-      org.opencontainers.image.url=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.version=$VERSION \
-      org.opencontainers.image.title=ServiceControl.Audit \
-      org.opencontainers.image.description="ServiceControl audit instance"
+LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/$SHA
+LABEL org.opencontainers.image.authors="Particular Software"
+LABEL org.opencontainers.image.vendor="Particular Software"
+LABEL org.opencontainers.image.url=https://hub.docker.com/r/particular/servicecontrol-audit
+LABEL org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+LABEL org.opencontainers.image.version=$VERSION
+LABEL org.opencontainers.image.revision=$SHA
+LABEL org.opencontainers.image.created=$CREATED
+LABEL org.opencontainers.image.title="ServiceControl Audit Instance"
+LABEL org.opencontainers.image.description="Provide valuable information about the message flow through a system."
+LABEL org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
 
 EXPOSE 44444
 
diff --git a/src/ServiceControl.Monitoring/Dockerfile b/src/ServiceControl.Monitoring/Dockerfile
index 0383cc490c..348bed359b 100644
--- a/src/ServiceControl.Monitoring/Dockerfile
+++ b/src/ServiceControl.Monitoring/Dockerfile
@@ -11,15 +11,21 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
 ARG VERSION
+ARG SHA=unknown
+ARG CREATED=2000-01-01T00:00:00Z
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl \
-      org.opencontainers.image.authors="Particular Software" \
-      org.opencontainers.image.url=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.version=$VERSION \
-      org.opencontainers.image.title=ServiceControl.Monitoring \
-      org.opencontainers.image.description="ServiceControl monitoring instance"
+LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/$SHA
+LABEL org.opencontainers.image.authors="Particular Software"
+LABEL org.opencontainers.image.vendor="Particular Software"
+LABEL org.opencontainers.image.url=https://hub.docker.com/r/particular/servicecontrol-monitoring
+LABEL org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+LABEL org.opencontainers.image.version=$VERSION
+LABEL org.opencontainers.image.revision=$SHA
+LABEL org.opencontainers.image.created=$CREATED
+LABEL org.opencontainers.image.title="ServiceControl Monitoring Instance"
+LABEL org.opencontainers.image.description="Track the health of a distributed system."
+LABEL org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
 
 EXPOSE 33633
 
diff --git a/src/ServiceControl/Dockerfile b/src/ServiceControl/Dockerfile
index e69bd0d8b5..90d3a82da7 100644
--- a/src/ServiceControl/Dockerfile
+++ b/src/ServiceControl/Dockerfile
@@ -11,15 +11,22 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
 ARG VERSION
+ARG SHA=unknown
+ARG CREATED=2000-01-01T00:00:00Z
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl \
-      org.opencontainers.image.authors="Particular Software" \
-      org.opencontainers.image.url=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/ \
-      org.opencontainers.image.version=$VERSION \
-      org.opencontainers.image.title=ServiceControl \
-      org.opencontainers.image.description="ServiceControl primary instance"
+LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/$SHA
+LABEL org.opencontainers.image.authors="Particular Software"
+LABEL org.opencontainers.image.vendor="Particular Software"
+LABEL org.opencontainers.image.url=https://hub.docker.com/r/particular/servicecontrol
+LABEL org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+LABEL org.opencontainers.image.version=$VERSION
+LABEL org.opencontainers.image.revision=$SHA
+LABEL org.opencontainers.image.created=$CREATED
+LABEL org.opencontainers.image.title="ServiceControl"
+LABEL org.opencontainers.image.description="Gather status, performance and monitoring data for multiple endpoints from a single location."
+LABEL org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
+
 
 EXPOSE 33333
 

From 1bd4aa894a588e5d12f396cefa22fe0571b63470 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:28:25 +1000
Subject: [PATCH 02/11] Update .github/workflows/build-containers.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/build-containers.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 1a01f75b04..2dc94d8331 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -35,7 +35,7 @@ jobs:
         with:
           version: ${{ env.MinVerVersion }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3.9.0
       - name: Log in to GitHub container registry
         uses: docker/login-action@v3
         with:

From 5b8b149bbeabba4d91b898b67fc598179c7361ce Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:28:36 +1000
Subject: [PATCH 03/11] Update .github/workflows/build-containers.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/build-containers.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 2dc94d8331..24d15993fc 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.9.0
       - name: Log in to GitHub container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

From e76f41593abde3e6572872d2f1a9d3ab90f89c05 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:28:46 +1000
Subject: [PATCH 04/11] Update .github/workflows/build-containers.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/build-containers.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 24d15993fc..1425a8c099 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -46,7 +46,7 @@ jobs:
         id: date
         run: echo "date=$(date '+%FT%TZ')" >> $GITHUB_OUTPUT
       - name: Build and push image to GitHub container registry
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v6.14.0
         with:
           context: .
           push: true

From 9a8308ad30a3b7ec61650b625e68e07aff183b87 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:28:54 +1000
Subject: [PATCH 05/11] Update .github/workflows/build-db-container.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/build-db-container.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-db-container.yml b/.github/workflows/build-db-container.yml
index 9ba5760cf1..f59ef8e275 100644
--- a/.github/workflows/build-db-container.yml
+++ b/.github/workflows/build-db-container.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           version: ${{ env.MinVerVersion }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3.9.0
       - name: Log in to GitHub container registry
         uses: docker/login-action@v3
         with:

From 282db9d90517d7e1c9cef82daa571366ab32a1ac Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:29:03 +1000
Subject: [PATCH 06/11] Update .github/workflows/build-db-container.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/build-db-container.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build-db-container.yml b/.github/workflows/build-db-container.yml
index f59ef8e275..d2a826b693 100644
--- a/.github/workflows/build-db-container.yml
+++ b/.github/workflows/build-db-container.yml
@@ -27,7 +27,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3.9.0
       - name: Log in to GitHub container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

From f06578fba4f32b15d6d9b8cb7b7029896d6f2a30 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:29:12 +1000
Subject: [PATCH 07/11] Update .github/workflows/push-container-images.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/push-container-images.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/push-container-images.yml b/.github/workflows/push-container-images.yml
index 368d7c2e73..94201a3cec 100644
--- a/.github/workflows/push-container-images.yml
+++ b/.github/workflows/push-container-images.yml
@@ -22,7 +22,7 @@ jobs:
         with:
           version: ${{ inputs.version }}
       - name: Log in to GitHub container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

From 97cf2a522375e6c953f1748d734086539b8ee1d5 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:29:20 +1000
Subject: [PATCH 08/11] Update .github/workflows/container-integration-test.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/container-integration-test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/container-integration-test.yml b/.github/workflows/container-integration-test.yml
index dc4bf6b336..8b63ccd081 100644
--- a/.github/workflows/container-integration-test.yml
+++ b/.github/workflows/container-integration-test.yml
@@ -62,7 +62,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Log in to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From a3f01f80e93aedc60b70e9e240d593e85ed42b76 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:29:27 +1000
Subject: [PATCH 09/11] Update .github/workflows/push-container-images.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/push-container-images.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/push-container-images.yml b/.github/workflows/push-container-images.yml
index 94201a3cec..d5fc01c351 100644
--- a/.github/workflows/push-container-images.yml
+++ b/.github/workflows/push-container-images.yml
@@ -28,7 +28,7 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

From 986397cd3b7bf869cc8d6761d2400c2a8a7daa45 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:29:37 +1000
Subject: [PATCH 10/11] Update .github/workflows/push-container-images.yml

Co-authored-by: David Boike <david.boike@gmail.com>
---
 .github/workflows/push-container-images.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/push-container-images.yml b/.github/workflows/push-container-images.yml
index d5fc01c351..5d06ae2ab6 100644
--- a/.github/workflows/push-container-images.yml
+++ b/.github/workflows/push-container-images.yml
@@ -33,7 +33,7 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3.9.0
       - name: Publish to Docker Hub
         run: |
           $containers = @('servicecontrol', 'servicecontrol-audit', 'servicecontrol-monitoring', 'servicecontrol-ravendb')

From 14c63fd1ce33fd71536c3645fa407421391241d5 Mon Sep 17 00:00:00 2001
From: John Simons <john.simons@particular.net>
Date: Wed, 26 Feb 2025 07:49:39 +1000
Subject: [PATCH 11/11] setting both annotations

---
 .github/workflows/build-containers.yml   | 34 +++++++++++++++++++++---
 src/ServiceControl.Audit/Dockerfile      | 15 -----------
 src/ServiceControl.Monitoring/Dockerfile | 15 -----------
 src/ServiceControl/Dockerfile            | 16 -----------
 4 files changed, 30 insertions(+), 50 deletions(-)

diff --git a/.github/workflows/build-containers.yml b/.github/workflows/build-containers.yml
index 1425a8c099..b953d2cd01 100644
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -12,10 +12,16 @@ jobs:
         include:
           - name: servicecontrol
             project: ServiceControl
+            title: ServiceControl
+            description: Gather status, performance and monitoring data for multiple endpoints from a single location.
           - name: servicecontrol-audit
             project: ServiceControl.Audit
+            title: ServiceControl Audit Instance
+            description: Provide valuable information about the message flow through a system.
           - name: servicecontrol-monitoring
             project: ServiceControl.Monitoring
+            title: ServiceControl Monitoring Instance
+            description: Track the health of a distributed system.
       fail-fast: false
     steps:
       - name: Check for secrets
@@ -52,9 +58,29 @@ jobs:
           push: true
           platforms: linux/amd64,linux/arm64
           sbom: true
-          build-args: |
-            VERSION=${{ env.MinVerVersion }}
-            SHA=${{ github.sha }}
-            CREATED=${{ steps.date.outputs.date }}
+          labels: |
+            org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/${{ github.sha }}
+            org.opencontainers.image.authors="Particular Software"
+            org.opencontainers.image.vendor="Particular Software"
+            org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}
+            org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+            org.opencontainers.image.version=${{ env.MinVerVersion }}
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            org.opencontainers.image.title=${{ matrix.title }}
+            org.opencontainers.image.description=${{ matrix.description }}
+            org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
+          annotations: |
+            index:org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/${{ github.sha }}
+            index:org.opencontainers.image.authors="Particular Software"
+            index:org.opencontainers.image.vendor="Particular Software"
+            index:org.opencontainers.image.url=https://hub.docker.com/r/particular/${{ matrix.name }}
+            index:org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
+            index:org.opencontainers.image.version=${{ env.MinVerVersion }}
+            index:org.opencontainers.image.revision=${{ github.sha }}
+            index:org.opencontainers.image.created=${{ steps.date.outputs.date }}
+            index:org.opencontainers.image.title=${{ matrix.title }}
+            index:org.opencontainers.image.description=${{ matrix.description }}
+            index:org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
           file: src/${{ matrix.project }}/Dockerfile
           tags: ghcr.io/particular/${{ matrix.name }}:${{ github.event_name == 'pull_request' && format('pr-{0}', github.event.number) || env.MinVerVersion }}
diff --git a/src/ServiceControl.Audit/Dockerfile b/src/ServiceControl.Audit/Dockerfile
index 020d03e1a7..1eb013f13d 100644
--- a/src/ServiceControl.Audit/Dockerfile
+++ b/src/ServiceControl.Audit/Dockerfile
@@ -10,23 +10,8 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-ARG VERSION
-ARG SHA=unknown
-ARG CREATED=2000-01-01T00:00:00Z
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/$SHA
-LABEL org.opencontainers.image.authors="Particular Software"
-LABEL org.opencontainers.image.vendor="Particular Software"
-LABEL org.opencontainers.image.url=https://hub.docker.com/r/particular/servicecontrol-audit
-LABEL org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
-LABEL org.opencontainers.image.version=$VERSION
-LABEL org.opencontainers.image.revision=$SHA
-LABEL org.opencontainers.image.created=$CREATED
-LABEL org.opencontainers.image.title="ServiceControl Audit Instance"
-LABEL org.opencontainers.image.description="Provide valuable information about the message flow through a system."
-LABEL org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-
 EXPOSE 44444
 
 COPY --from=build /deploy/Particular.ServiceControl.Audit /app
diff --git a/src/ServiceControl.Monitoring/Dockerfile b/src/ServiceControl.Monitoring/Dockerfile
index 348bed359b..a2f3d0abe5 100644
--- a/src/ServiceControl.Monitoring/Dockerfile
+++ b/src/ServiceControl.Monitoring/Dockerfile
@@ -10,23 +10,8 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-ARG VERSION
-ARG SHA=unknown
-ARG CREATED=2000-01-01T00:00:00Z
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/$SHA
-LABEL org.opencontainers.image.authors="Particular Software"
-LABEL org.opencontainers.image.vendor="Particular Software"
-LABEL org.opencontainers.image.url=https://hub.docker.com/r/particular/servicecontrol-monitoring
-LABEL org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
-LABEL org.opencontainers.image.version=$VERSION
-LABEL org.opencontainers.image.revision=$SHA
-LABEL org.opencontainers.image.created=$CREATED
-LABEL org.opencontainers.image.title="ServiceControl Monitoring Instance"
-LABEL org.opencontainers.image.description="Track the health of a distributed system."
-LABEL org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-
 EXPOSE 33633
 
 COPY --from=build /deploy/Particular.ServiceControl.Monitoring /app
diff --git a/src/ServiceControl/Dockerfile b/src/ServiceControl/Dockerfile
index 90d3a82da7..9fec575722 100644
--- a/src/ServiceControl/Dockerfile
+++ b/src/ServiceControl/Dockerfile
@@ -10,24 +10,8 @@ RUN dotnet publish src/HealthCheckApp/HealthCheckApp.csproj --arch $TARGETARCH -
 
 # Runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-ARG VERSION
-ARG SHA=unknown
-ARG CREATED=2000-01-01T00:00:00Z
 WORKDIR /app
 
-LABEL org.opencontainers.image.source=https://github.com/Particular/ServiceControl/tree/$SHA
-LABEL org.opencontainers.image.authors="Particular Software"
-LABEL org.opencontainers.image.vendor="Particular Software"
-LABEL org.opencontainers.image.url=https://hub.docker.com/r/particular/servicecontrol
-LABEL org.opencontainers.image.documentation=https://docs.particular.net/servicecontrol/
-LABEL org.opencontainers.image.version=$VERSION
-LABEL org.opencontainers.image.revision=$SHA
-LABEL org.opencontainers.image.created=$CREATED
-LABEL org.opencontainers.image.title="ServiceControl"
-LABEL org.opencontainers.image.description="Gather status, performance and monitoring data for multiple endpoints from a single location."
-LABEL org.opencontainers.image.base.name=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled-composite-extra
-
-
 EXPOSE 33333
 
 COPY --from=build /deploy/Particular.ServiceControl /app