install/aleph: include the image labels in aleph

Include the container labels in the aleph file, since they often contain
useful information about the image provenance, such as the source
commit the image was build from.

Also we skip serializing the source image reference if it start with
`/tmp` since this is a good signal it was source from a local copy
of an image, e.g. in an osbuild environnement.

Whith this, a build of Fedora CoreOS through osbuild goes from:

```
{
  "image": "/tmp/tmpb29j6pi3/image",
  "kernel": "6.18.12-200.fc43.x86_64",
  "selinux": "disabled",
  "timestamp": null,
  "version": "43.20260301.20.dev1"
}
```

to
```
{
  "digest": "sha256:07bf537cc4e4d208eb0b978f76e5046e55529ce6192b982d8c1a41fa1d61b95a",
  "kernel": "6.18.13-200.fc43.x86_64",
  "labels": {
    "com.coreos.inputhash": "fe9883169714c593d98058606e886b9747710ed15ab1b9cdbd7fa538fb435b3c",
    "com.coreos.osname": "fedora-coreos",
    "com.coreos.stream": "testing-devel",
    "containers.bootc": "1",
    "io.buildah.version": "1.42.2",
    "org.opencontainers.image.description": "Fedora CoreOS testing-devel",
    "org.opencontainers.image.revision": "233fe18749c7d2749581e4307c4cac60967acde4",
    "org.opencontainers.image.source": "git@github.com:jbtrystram/fedora-coreos-config.git",
    "org.opencontainers.image.title": "Fedora CoreOS testing-devel",
    "org.opencontainers.image.version": "43.20260301.20.dev1",
    "ostree.bootable": "1",
    "ostree.commit": "89635f7cba9de932fc60d71a6bded65ad0db06a35c9d016da03ca7ade9ba4736",
    "ostree.final-diffid": "sha256:12787d84fa137cd5649a9005efe98ec9d05ea46245fdc50aecb7dd007f2035b1"
  },
  "selinux": "disabled",
  "target-image": "ostree-image-signed:docker://quay.io/fedora/fedora-coreos:testing-devel",
  "timestamp": null,
  "version": "43.20260301.20.dev1"
}
```
which is way more useful.

See #2038

Assisted-by: OpenCode(Opus 4.6)

Author: jbtrystram

crates/lib/src/install.rs

@@ -1209,7 +1209,12 @@ async fn install_container(
         osconfig::inject_root_ssh_authorized_keys(&root, sepolicy, contents)?;
     }
 
-    let aleph = InstallAleph::new(&src_imageref, &imgstate, &state.selinux_state)?;
+    let aleph = InstallAleph::new(
+        &src_imageref,
+        &state.target_imgref,
+        &imgstate,
+        &state.selinux_state,
+    )?;
     Ok((deployment, aleph))
 }
 

crates/lib/src/install/aleph.rs

@@ -1,3 +1,5 @@
+use std::collections::BTreeMap;
+
 use anyhow::{Context as _, Result};
 use canon_json::CanonJsonSerialize as _;
 use cap_std_ext::{cap_std::fs::Dir, dirext::CapStdExtDirExt as _};
@@ -17,7 +19,16 @@ pub(crate) const BOOTC_ALEPH_PATH: &str = ".bootc-aleph.json";
 #[derive(Debug, Serialize)]
 pub(crate) struct InstallAleph {
     /// Digested pull spec for installed image
-    pub(crate) image: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub(crate) image: Option<String>,
+    /// The manifest digest of the installed image
+    pub(crate) digest: String,
+    /// The target image reference, used for subsequent updates
+    #[serde(rename = "target-image")]
+    pub(crate) target_image: String,
+    /// The OCI image labels from the installed image
+    #[serde(skip_serializing_if = "BTreeMap::is_empty")]
+    pub(crate) labels: BTreeMap<String, String>,
     /// The version number
     pub(crate) version: Option<String>,
     /// The timestamp
@@ -32,19 +43,34 @@ impl InstallAleph {
     #[context("Creating aleph data")]
     pub(crate) fn new(
         src_imageref: &ostree_container::OstreeImageReference,
+        target_imgref: &ostree_container::OstreeImageReference,
         imgstate: &ostree_container::store::LayeredImageState,
         selinux_state: &SELinuxFinalState,
     ) -> Result<Self> {
         let uname = rustix::system::uname();
-        let labels = crate::status::labels_of_config(&imgstate.configuration);
-        let timestamp = labels
+        let oci_labels = crate::status::labels_of_config(&imgstate.configuration);
+        let timestamp = oci_labels
             .and_then(|l| {
                 l.get(oci_spec::image::ANNOTATION_CREATED)
                     .map(|s| s.as_str())
             })
             .and_then(bootc_utils::try_deserialize_timestamp);
+        let labels: BTreeMap<String, String> = oci_labels
+            .map(|l| l.iter().map(|(k, v)| (k.clone(), v.clone())).collect())
+            .unwrap_or_default();
+        // When installing via osbuild, the source image is usually a
+        // temporary local container storage path (e.g. `/tmp/...`) which is not useful.
+        let image = if src_imageref.imgref.name.starts_with("/tmp") {
+            tracing::debug!("Not serializing the source imageref as it's a local temporary image.");
+            None
+        } else {
+            Some(src_imageref.imgref.name.clone())
+        };
         let r = InstallAleph {
-            image: src_imageref.imgref.name.clone(),
+            image,
+            target_image: target_imgref.imgref.name.clone(),
+            digest: imgstate.manifest_digest.to_string(),
+            labels,
             version: imgstate.version().as_ref().map(|s| s.to_string()),
             timestamp,
             kernel: uname.release().to_str()?.to_string(),

docs/src/bootc-install.md

@@ -535,6 +535,8 @@ After installation, bootc writes a JSON file at the root of the physical
 filesystem (`.bootc-aleph.json`) containing installation provenance information:
 
 - The source image reference and digest
+- The target image reference (if provided)
+- The OCI image labels from the installed image
 - Installation timestamp
 - bootc version
 - Kernel version