Consider adding OCI annotations to our container image, mainly to provide changelog information

[eskultety]

The fact that dependabot and other bots are unable to provide any kind of useful information when bumping container checksums making the update completely opaque doesn't give anyone any confidence about the changes, with a complete lack of transparency from security POV it's actually worse than sacrificing reproducible builds and just doing dnf upgrade directly.

That said, this is a problem in the container world in general that will hopefully be solved with SBOMs at some point in the future. We're not there yet and so another alternative could be to increase our own transparency when it comes to the shipped image by incorporating some of the OCI annotations (https://github.com/opencontainers/image-spec/blob/main/annotations.md) that anyone could go and look at a particular ref that lead to the container image build. We could also add our own label that would include a URL to a full changelog of a particular release. It's not going to solve the dependency bot tracking conundrum, but any kind of transparency is arguably better than none.