Following #9817
Instead of disabling provenance, we could switch to using docker buildx imagetools create which handles OCI indices.
Context
- CI runners were upgraded from Docker 27 to 29.
- Docker Engine 29's containerd image store became the default for fresh installs (https://docs.docker.com/engine/release-notes/29/).
- Provenance attestations have been enabled by default since Buildx v0.10 (mode=min), but with Docker's classic image store they were silently lost — the classic store doesn't support them (https://docs.docker.com/build/metadata/attestations/)
- Docker 29 switches the default to containerd image store for fresh installs, which does support attestations
- So now docker build + docker push preserves the provenance attestation, turning every pushed image into an OCI index (manifest list with image + attestation)
- docker manifest create rejects OCI indices as sources
For the docker buildx imagetools create alternative, the docs confirm it accepts manifest lists and OCI indices as sources natively: https://docs.docker.com/reference/cli/docker/buildx/imagetools/create/
Sources:
Following #9817
Instead of disabling provenance, we could switch to using
docker buildx imagetools createwhich handles OCI indices.Context
For the
docker buildx imagetools createalternative, the docs confirm it accepts manifest lists and OCI indices as sources natively: https://docs.docker.com/reference/cli/docker/buildx/imagetools/create/Sources: