From d3d196af1c5dfa094041b7d18ddb89c99455453e Mon Sep 17 00:00:00 2001
From: "Alexander Nicholson 4584443+DragonStuff@users.noreply.github.com"
 <4584443+DragonStuff@users.noreply.github.com>
Date: Wed, 10 Sep 2025 04:02:28 +0900
Subject: [PATCH] fix: disable sbom and provenance

Disabled SBOM/provenance embedding and stopped uploading build attestations. Those were creating untagged OCI referrers in GHCR. Still sign with cosign with signatures as referrers.
---
 .github/workflows/publish-image.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-image.yml b/.github/workflows/publish-image.yml
index f62ff9f..66e4f65 100644
--- a/.github/workflows/publish-image.yml
+++ b/.github/workflows/publish-image.yml
@@ -99,8 +99,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha,scope=${{ matrix.platform }}
           cache-to: type=gha,scope=${{ matrix.platform }},mode=max
-          sbom: true
-          provenance: true
+          sbom: false
+          provenance: false
 
       - name: Attest image provenance (per-arch)
         if: github.event_name != 'pull_request'
@@ -108,7 +108,7 @@ jobs:
         with:
           subject-name: ${{ steps.vars.outputs.canonical }}
           subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: false
 
   manifest:
     name: Create multi-arch manifest and sign