From c9cc80b2afefd2b3456f6e6aedafdbf43f409bc6 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 16 Feb 2026 10:54:57 +0100 Subject: [PATCH 1/9] Disable provenance/SBOM attestations A recent update probably enabled those and that turned our single-platform container images into manifests. And we cannot manually create the latest manifest if our images are manifests as well. --- .github/workflows/build-and-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 14f9e46..71cc224 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -42,6 +42,8 @@ jobs: context: . platforms: linux/${{ matrix.arch }} load: true + provenance: false + sbom: false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} From 4cee1406b77ec0496c3a8def13aaae068bf9b0b1 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 16 Feb 2026 12:19:34 +0100 Subject: [PATCH 2/9] Update docker/build-push-action to version 6 --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 71cc224..2c93118 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,7 +37,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . platforms: linux/${{ matrix.arch }} From 93ceaabc074f1b28319bd43c1489ec4396272678 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 17 Feb 2026 12:04:26 +0100 Subject: [PATCH 3/9] Add verification step for single-platform images --- .github/workflows/build-and-push.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 2c93118..6ed3dd6 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -42,11 +42,32 @@ jobs: context: . platforms: linux/${{ matrix.arch }} load: true - provenance: false - sbom: false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + - name: Verify single-platform image + run: | + # Inspect the local image + image_info=$(docker image inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) + + # Check that we got exactly one image (not a manifest list) + image_count=$(echo "$image_info" | jq '. | length') + if [ "$image_count" != "1" ]; then + echo "ERROR: Expected 1 image, found $image_count" + exit 1 + fi + + # Get the architecture + arch=$(echo "$image_info" | jq -r '.[0].Architecture') + os=$(echo "$image_info" | jq -r '.[0].Os') + + echo "✓ Verified: Image is single-platform ($os/$arch)" + + # Verify it matches the expected architecture + if [ "$arch" != "${{ matrix.arch }}" ]; then + echo "ERROR: Architecture mismatch! Expected ${{ matrix.arch }}, got $arch" + exit 1 + fi - name: Test local project env: TOXENV: ${{ matrix.toxenv }} From 6e13b40b426a948beb874d6b59d2c2fa09c02a24 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 17 Feb 2026 13:41:12 +0100 Subject: [PATCH 4/9] Use manifest inspect in the verification step, not image inspect --- .github/workflows/build-and-push.yml | 29 ++++++++++++---------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 6ed3dd6..737789f 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -47,27 +47,22 @@ jobs: fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} - name: Verify single-platform image run: | - # Inspect the local image - image_info=$(docker image inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) + # Inspect the manifest + manifest=$(docker manifest inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) - # Check that we got exactly one image (not a manifest list) - image_count=$(echo "$image_info" | jq '. | length') - if [ "$image_count" != "1" ]; then - echo "ERROR: Expected 1 image, found $image_count" - exit 1 - fi - - # Get the architecture - arch=$(echo "$image_info" | jq -r '.[0].Architecture') - os=$(echo "$image_info" | jq -r '.[0].Os') + # For single-platform images, manifests should be null + # For multi-platform or images with attestations, manifests is an array + manifests=$(echo "$manifest" | jq '.manifests') - echo "✓ Verified: Image is single-platform ($os/$arch)" - - # Verify it matches the expected architecture - if [ "$arch" != "${{ matrix.arch }}" ]; then - echo "ERROR: Architecture mismatch! Expected ${{ matrix.arch }}, got $arch" + if [ "$manifests" != "null" ]; then + manifest_count=$(echo "$manifests" | jq '. | length') + echo "ERROR: Image has a manifest list with $manifest_count entries (expected null for single-platform)!" + echo "This usually means attestations are enabled or it's a multi-platform image." + echo "$manifests" | jq '.[] | {platform: .platform, digest: .digest, annotations: .annotations}' exit 1 fi + + echo "✓ Verified: Image is single-platform (manifests: null)" - name: Test local project env: TOXENV: ${{ matrix.toxenv }} From 4a38b1e578f09a80d7aa9e7e21ed0529bcbfb18a Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Wed, 18 Feb 2026 08:09:22 +0100 Subject: [PATCH 5/9] Disable provenance and sbom attestations again --- .github/workflows/build-and-push.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 737789f..bc59139 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -41,6 +41,8 @@ jobs: with: context: . platforms: linux/${{ matrix.arch }} + provenance: false + sbom: false load: true tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} @@ -98,6 +100,8 @@ jobs: with: context: . platforms: linux/${{ matrix.arch }} + provenance: false + sbom: false push: true tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} From fd358ef6c9805108f7755be697e74e1aa247891b Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 19 Feb 2026 13:04:51 +0100 Subject: [PATCH 6/9] fixup --- .github/workflows/build-and-push.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index bc59139..df1a9f4 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -43,7 +43,7 @@ jobs: platforms: linux/${{ matrix.arch }} provenance: false sbom: false - load: true + outputs: type=docker tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} @@ -95,7 +95,7 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push to Dockerhub - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' with: context: . From ccc85a78864be6be2222d489bc19719e6b876d38 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Thu, 19 Feb 2026 15:33:38 +0100 Subject: [PATCH 7/9] fixup --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index df1a9f4..897e44d 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -43,7 +43,7 @@ jobs: platforms: linux/${{ matrix.arch }} provenance: false sbom: false - outputs: type=docker + outputs: type=docker,oci-mediatypes=false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} From a3a523f5b6cc4b0ea471b6d97a69b69555080629 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Fri, 20 Feb 2026 10:34:20 +0100 Subject: [PATCH 8/9] fixup --- .github/workflows/build-and-push.yml | 29 +++++++++------------------- 1 file changed, 9 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 897e44d..94c7775 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,16 +37,12 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build - uses: docker/build-push-action@v6 - with: - context: . - platforms: linux/${{ matrix.arch }} - provenance: false - sbom: false - outputs: type=docker,oci-mediatypes=false - tags: | - fedorapython/fedora-python-tox:${{ matrix.arch }} - fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + run: | + docker build \ + --platform linux/${{ matrix.arch }} \ + -t fedorapython/fedora-python-tox:${{ matrix.arch }} \ + -t fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} \ + . - name: Verify single-platform image run: | # Inspect the manifest @@ -95,17 +91,10 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Push to Dockerhub - uses: docker/build-push-action@v6 if: github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' - with: - context: . - platforms: linux/${{ matrix.arch }} - provenance: false - sbom: false - push: true - tags: | - fedorapython/fedora-python-tox:${{ matrix.arch }} - fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + run: | + docker push fedorapython/fedora-python-tox:${{ matrix.arch }} + docker push fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} description_update: name: 'Update Dockerhub description' From c8c381baa6c7b2056a47e43ed404b95935958ae7 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Fri, 20 Feb 2026 12:43:20 +0100 Subject: [PATCH 9/9] fixup --- .github/workflows/build-and-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 94c7775..e178d13 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,6 +37,8 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build + env: + DOCKER_BUILDKIT: 0 run: | docker build \ --platform linux/${{ matrix.arch }} \