PackManifest packs an artifact by generating a manifest with annotation org.opencontainers.image.created.

Each time calling PackManifest, a new time stamp is generated for org.opencontainers.image.created even with the same content. Therefore, building an artifact is not reproducible.

The PackManifest method can be reproducible when ocispec.AnnotationCreated is set. However, this fact is not called out in the docs of PackManifestOptions as well as PackManifest.

This request is to enhance the documentation for reproducibility of PackManifest.

Are we saying that the proposed solution here is pass the arg -a "org.opencontainers.image.created=1970-01-01T00:00:00Z" or similar to ensure deterministic builds?

Are we saying that the proposed solution here is pass the arg -a "org.opencontainers.image.created=1970-01-01T00:00:00Z" or similar to ensure deterministic builds?

Regarding oras-cli, this is our proposed solution to ensure deterministic builds. This issue is for the library oras-go, we need to tell the users of the library the behavior of PackManifest regarding the timestamp annotation.