fix: disable sbom and provenance

Disabled SBOM/provenance embedding and stopped uploading build attestations. Those were creating untagged OCI referrers in GHCR. Still sign with cosign with signatures as referrers.
2026-03-26 07:56:34 +09:00 · 2025-09-10 04:02:28 +09:00
parent fc24ab44fc
commit d3d196af1c
1 changed files with 3 additions and 3 deletions
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@@ -99,8 +99,8 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha,scope=${{ matrix.platform }}
          cache-to: type=gha,scope=${{ matrix.platform }},mode=max
-          sbom: true
-          provenance: true
+          sbom: false
+          provenance: false

      - name: Attest image provenance (per-arch)
        if: github.event_name != 'pull_request'
@@ -108,7 +108,7 @@ jobs:
        with:
          subject-name: ${{ steps.vars.outputs.canonical }}
          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: false

  manifest:
    name: Create multi-arch manifest and sign