Description
/kind bug
What happened?
Trying to build a new image in a private fork with the new buildx version (v0.10.1), published 2 weeks ago, and now added to GH Actions, breaks this project's pushing script with the following error.
make[1]: Leaving directory '/home/runner/work/aws-ebs-csi-driver/aws-ebs-csi-driver'
docker manifest create --amend ***/aws-ebs-csi-driver:timescale-1.15-rc1 ***/aws-ebs-csi-driver:timescale-1.15-rc1-linux-amd64-amazon
***/aws-ebs-csi-driver:timescale-1.15-rc1-linux-amd64-amazon is a manifest list
It happens because the new version introduced support for a minimal SLSA Provenance attestation by default. This makes images that previously were being exported as a single manifest (image) be exported as a manifest list.
Expected outputs like this (from the last build on this repo v1.15.0, using buildx 0.9.x):
#14 exporting to image
#14 exporting manifest sha256:ABC done
#14 exporting config sha256:XYZ done
#14 pushing layers
But got:
#15 exporting to image
#15 exporting layers 2.0s done
#15 exporting manifest sha256:ABC done
#15 exporting config sha256:DEF done
#15 exporting attestation manifest sha256:XYZ done
#15 exporting manifest list sha256:QWE done
It means the image is being published as a manifest list, as we can see by inspecting the resulting document
╰─❯ docker buildx imagetools inspect XYZ.dkr.ecr.us-east-1.amazonaws.com/aws-ebs-csi-driver:test-1.15-rc1-linux-amd64-amazon
Name: XYZ.dkr.ecr.us-east-1.amazonaws.com/aws-ebs-csi-driver:test-1.15-rc1-linux-amd64-amazon
MediaType: application/vnd.oci.image.index.v1+json
Digest: sha256:e87283cc95ba621ed50554acde2517fa52a8458fe80148a41f02a4fcdc30539c
Manifests:
Name: XYZ.dkr.ecr.us-east-1.amazonaws.com/aws-ebs-csi-driver:test-1.15-rc1-linux-amd64-amazon@sha256:be6c10993f206194728565408e3b1076916375073d27d6a7002fd1e7d6a2c3a5
MediaType: application/vnd.oci.image.manifest.v1+json
Platform: linux/amd64
Name: XYZ.dkr.ecr.us-east-1.amazonaws.com/aws-ebs-csi-driver:test-1.15-rc1-linux-amd64-amazon@sha256:98cc461893e9e9c11c9bc5149c975bd7d14016e69cf7e04b194edd4b5724936c
MediaType: application/vnd.oci.image.manifest.v1+json
Platform: unknown/unknown
vnd.docker.reference.type: attestation-manifest
vnd.docker.reference.digest: sha256:be6c10993f206194728565408e3b1076916375073d27d6a7002fd1e7d6a2c3a5
Possible solution
We can optionally disable the default provenance attestation functionality using --provenance=false according to the buildx release document.