Support Git commit status updates for OCIRepository

[matheuscscp]

Discussed in #5140

^{Originally posted by xunholy January 9, 2025}
Currently it's common practice to include alerts on kustomizations to publish the status back to the origin commit status.

EG.

apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
  name: github-kustomization-alerts
  namespace: flux-system
spec:
  providerRef:
    name: github
  eventSeverity: info
  eventSources:
    - kind: Kustomization
      name: '*'

However, when these kustomizations are using the OCIRepository sourceRef the notification-conroller is unable to match the commit SHA in order to place the commit status.

Error

3ceff2f-46de-4b04-be31-6a03e9c3e943","apiVersion":"kustomize.toolkit.fluxcd.io/v1","resourceVersion":"166196199"},"Alert":{"name":"github-kustomization-alerts","namespace":"flux-system"},"error":"failed to extract commit hash from 'main@sha256:6f132a51cacdd080a2efc97cdc20b1807c025b6464c58a530f3803373d5f12cf' revision"}

One possible solution is to allow the kustomize-controller to forward the OCI annotation called org.opencontainers.image.revision to notification-controller so it can extract the revision from the metadata.

This would allow for a better user experience and feedback loops when using the OCIRepository type, especially in mono repositories where there is a high amount of change.

[stefanprodan]

To implement this, the kustomize-controller should add a metadata entry to the events emitted from reconciling an OCIRepository source with the following format:

 kustomize.toolkit.fluxcd.io/originRevision: <value of org.opencontainers.image.revision>

When receiving events, notification-controller should use originRevision instead of revision to determine the commit SHA for status update. Furthermore, the originRevision should show up in Slack/MSTeams/etc in the alert body.

[stefanprodan]

We need to add a task for updating the docs or for creating some new guide to tell people about this feature.