Skip to content

ci(release): disable provenance/sbom attestations#55

Closed
trick77 wants to merge 1 commit into
masterfrom
ci/disable-provenance-attestations
Closed

ci(release): disable provenance/sbom attestations#55
trick77 wants to merge 1 commit into
masterfrom
ci/disable-provenance-attestations

Conversation

@trick77
Copy link
Copy Markdown
Owner

@trick77 trick77 commented May 17, 2026

Summary

Each release currently produces an extra GHCR manifest tagged `unknown/unknown` because `docker/build-push-action@v7` attaches SLSA provenance + SBOM attestations by default. Without a consumer this is pure UI noise. Disable both.

Test plan

  • After merge: trigger release; confirm GHCR UI shows only the real linux/amd64 manifest under each tag, no `unknown/unknown` companion.

@trick77
ci(release): disable provenance/sbom attestations
19ea8e3 
docker/build-push-action@v7 attaches SLSA provenance + SBOM attestations
by default; GHCR stores them as extra manifests in the manifest list and
shows them in the UI as 'unknown/unknown' platform. Without an attestation
consumer this is pure noise for triagers ("which image is the real one?").

Skip both. Real architectural manifests stay as they are.
@trick77
Copy link
Copy Markdown
Owner Author

trick77 commented May 17, 2026

Closing — provenance + SBOM stay enabled. The 'unknown/unknown' GHCR UI entry is cosmetic noise; the supply-chain signals are worth keeping.

@trick77 trick77 closed this May 17, 2026
@trick77 trick77 deleted the ci/disable-provenance-attestations branch May 17, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@trick77