chore(docker): enforce OCI description label

Author: pRizz

.github/workflows/docker-publish.yml

@@ -60,6 +60,16 @@ jobs:
           # when called via workflow_call, defaults to the commit that triggered the workflow
           ref: ${{ inputs.ref }}
 
+      # NOTE: We parse the description label from the Dockerfile so the
+      # multi-arch manifest annotation stays in sync and GHCR shows a description.
+      # If you change the label format or quoting, update the extraction logic.
+      - name: Extract OCI description
+        id: oci-description
+        run: |
+          set -euo pipefail
+          description="$(python3 scripts/extract-oci-description.py packages/core/src/docker/Dockerfile)"
+          echo "description=${description}" >> "$GITHUB_OUTPUT"
+
       - name: Extract version
         id: version
         run: |
@@ -196,6 +206,8 @@ jobs:
             OPENCODE_CLOUD_VERSION=${{ steps.version.outputs.version }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          annotations: |
+            org.opencontainers.image.description=${{ steps.oci-description.outputs.description }}
           # Scoped cache prevents thrash between test and publish builds.
           # GHA cache v2 improves compatibility with the current cache API.
           cache-from: |

.github/workflows/dockerfile-updates.yml

@@ -75,6 +75,9 @@ jobs:
           FOOTER
           echo "updates_body_path=${updates_body_path}" >> $GITHUB_OUTPUT
 
+      - name: Verify OCI description label
+        run: python3 scripts/extract-oci-description.py packages/core/src/docker/Dockerfile
+
       - name: Set up Docker Buildx
         if: steps.check.outputs.updates_available == 'true'
         uses: docker/setup-buildx-action@v3

.github/workflows/update-opencode-commit.yml

@@ -27,6 +27,9 @@ jobs:
         run: |
           ./scripts/update-opencode-commit.sh
 
+      - name: Verify OCI description label
+        run: python3 scripts/extract-oci-description.py packages/core/src/docker/Dockerfile
+
       - name: Commit and push if changed
         run: |
           if git diff --quiet; then

packages/core/src/docker/Dockerfile

@@ -36,6 +36,10 @@ FROM ubuntu:24.04 AS base
 
 # OCI Labels for image metadata
 LABEL org.opencontainers.image.title="opencode-cloud"
+# NOTE: This exact label format is parsed by scripts/extract-oci-description.py
+# (called from .github/workflows/docker-publish.yml) to populate multi-arch
+# manifest annotations for GHCR. If you change this line (format, quoting, or
+# key), update the extraction logic too.
 LABEL org.opencontainers.image.description="AI-assisted development environment with opencode"
 LABEL org.opencontainers.image.url="https://github.com/pRizz/opencode-cloud"
 LABEL org.opencontainers.image.source="https://github.com/pRizz/opencode-cloud"

scripts/extract-oci-description.py

@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+import pathlib
+import re
+import sys
+
+
+def main() -> int:
+    dockerfile_path = pathlib.Path(sys.argv[1]) if len(sys.argv) > 1 else pathlib.Path("Dockerfile")
+    try:
+        dockerfile = dockerfile_path.read_text()
+    except OSError as exc:
+        print(f"Failed to read Dockerfile at {dockerfile_path}: {exc}", file=sys.stderr)
+        return 2
+
+    match = re.search(
+        r'org\.opencontainers\.image\.description\s*=\s*"([^"]+)"',
+        dockerfile,
+    )
+    if not match:
+        print(
+            "Missing org.opencontainers.image.description label in Dockerfile",
+            file=sys.stderr,
+        )
+        return 3
+
+    print(match.group(1))
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())