2026-06-23 04:14:03 +00:00
1 changed files with 8 additions and 5 deletions
@@ -84,11 +84,14 @@ jobs:
        with:
          context: .
          push: true
-          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
-          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
-          # would cause the push to fail on the referrer PUT. The Grype scan step
-          # above is the compensating control — it fails the build on any unfixed
-          # high-severity CVE before the image reaches the registry.
+          # CAR-1446: git.farh.net does not implement the OCI referrers API.
+          # Verified 2026-06-23: GET /v2/cartsnitch/auth/referrers/{digest} →
+          # HTTP 404 "page not found" (plain proxy 404, not an OCI error — the path
+          # does not exist in this Gitea registry version). OCI Distribution Spec
+          # >=1.1 is required for provenance/SBOM attestation manifests; without it
+          # the docker/build-push-action would fail at the attestation PUT.
+          # Compensating control: the Grype scan step above fails the build on any
+          # unfixed HIGH-severity CVE before the image reaches the registry.
          provenance: false
          sbom: false
          tags: ${{ steps.meta.outputs.tags }}