From 19ea8e364f7ee3d17a536085cdb4bc117281835a Mon Sep 17 00:00:00 2001
From: trick77 <jan@trick77.com>
Date: Sun, 17 May 2026 11:21:45 +0200
Subject: [PATCH] ci(release): disable provenance/sbom attestations

docker/build-push-action@v7 attaches SLSA provenance + SBOM attestations
by default; GHCR stores them as extra manifests in the manifest list and
shows them in the UI as 'unknown/unknown' platform. Without an attestation
consumer this is pure noise for triagers ("which image is the real one?").

Skip both. Real architectural manifests stay as they are.
---
 .github/workflows/release.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 1787b38..379482b 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -74,6 +74,12 @@ jobs:
           context: .
           file: ./Containerfile
           push: true
+          # SLSA provenance + SBOM attestations are stored as separate
+          # manifests in the manifest list and show up in the GHCR UI as
+          # 'unknown/unknown' platform — pure noise for a project without
+          # an attestation consumer. Skip both.
+          provenance: false
+          sbom: false
           build-args: |
             RIPTIDE_VERSION=${{ steps.ver.outputs.version }}
           tags: |