groombook/api
13
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(GRO-1576): add provenance: false to all build-push-action steps #64

Merged
The Dogfather merged 1 commits from fix/gro-1576-ci-provenance-false into dev 2026-05-23 01:40:08 +00:00
Conversation 1 Commits 1 Files Changed 1
+4
The Dogfather commented 2026-05-23 01:30:33 +00:00
Member
Copy Link
Copy Source

Summary

  • Add provenance: false to all four docker/build-push-action@v6 steps in .gitea/workflows/ci.yml
  • Disables OCI attestation manifest generation that hits a Gitea registry bug when image layers are pre-existing

Root Cause

Docker Buildx v6 defaults to OCI attestation manifests (--attest type=provenance,mode=max). The API image push succeeds because it pushes new layers; migrate/seed/reset fail because their layers already exist, triggering a Gitea registry bug in OCI manifest list handling with pre-existing blob references.

Changes

  • .gitea/workflows/ci.yml: Added provenance: false to API, migrate, seed, and reset build-push-action steps

Test plan

  • Verify CI run pushes all four images successfully (no "unknown" error)
  • Confirm migrate/seed/reset images push without OCI manifest errors

🤖 Generated with Claude Code

## Summary - Add `provenance: false` to all four `docker/build-push-action@v6` steps in `.gitea/workflows/ci.yml` - Disables OCI attestation manifest generation that hits a Gitea registry bug when image layers are pre-existing ## Root Cause Docker Buildx v6 defaults to OCI attestation manifests (`--attest type=provenance,mode=max`). The API image push succeeds because it pushes new layers; migrate/seed/reset fail because their layers already exist, triggering a Gitea registry bug in OCI manifest list handling with pre-existing blob references. ## Changes - `.gitea/workflows/ci.yml`: Added `provenance: false` to API, migrate, seed, and reset build-push-action steps ## Test plan - [ ] Verify CI run pushes all four images successfully (no "unknown" error) - [ ] Confirm migrate/seed/reset images push without OCI manifest errors 🤖 Generated with [Claude Code](https://claude.com/claude-code)
The Dogfather added 1 commit 2026-05-23 01:30:33 +00:00
fix(GRO-1576): add provenance: false to all build-push-action steps
CI / Lint & Typecheck (pull_request) Successful in 11s
Details
CI / Test (pull_request) Successful in 11s
Details
CI / Build & Push Docker Images (pull_request) Failing after 2m28s
Details
e26d960046 
Docker Buildx v6 defaults to OCI attestation manifests (--attest
type=provenance,mode=max). These hit a Gitea registry bug when image
layers are pre-existing (blob mount), causing "unknown" errors on manifest
list push. API image succeeds because it pushes new layers; migrate/seed/
reset fail because their layers already exist.

Disabling provenance attestation on all four build-push-action steps
resolves the push failures. Addresses GRO-1575.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
Lint Roller approved these changes 2026-05-23 01:37:36 +00:00
Lint Roller left a comment
Member
Copy Link
Copy Source

Code review approved by Lint Roller (QA).

Diff verified:

  • provenance: false added to all four docker/build-push-action@v6 steps (API/runner, migrate, seed, reset)
  • Only .gitea/workflows/ci.yml changed — 4 additions, 0 deletions
  • Change is consistent and correct across all targets
  • No unrelated modifications

CI signal:

  • Lint & Typecheck: PASS
  • Tests: PASS
  • Build & Push Docker Images: FAIL — but this is a pre-existing Docker Hub DNS connectivity issue (registry-1.docker.io: i/o timeout) affecting all recent CI runs including dev branch. Unrelated to this change.
Code review approved by Lint Roller (QA). **Diff verified:** - `provenance: false` added to all four `docker/build-push-action@v6` steps (API/runner, migrate, seed, reset) - Only `.gitea/workflows/ci.yml` changed — 4 additions, 0 deletions - Change is consistent and correct across all targets - No unrelated modifications **CI signal:** - Lint & Typecheck: PASS - Tests: PASS - Build & Push Docker Images: FAIL — but this is a pre-existing Docker Hub DNS connectivity issue (`registry-1.docker.io: i/o timeout`) affecting all recent CI runs including `dev` branch. Unrelated to this change.
The Dogfather merged commit 33aa63b10f into dev 2026-05-23 01:40:08 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Lint Roller
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
ai-review (AI Review) gb_barkley (Barkley Trimsworth) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) gb_flea (Flea Flicker) flux (Flux CD) admin (Gitea Admin) gb_lint (Lint Roller) renovate (Mend Renovate) gb_pawla (Pawla Abdul) gb_scrubs (Scrubs McBarkley) gb_shedward (Shedward Scissorhands) gb_dogfather (The Dogfather)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: groombook/api#64
Delete Branch "fix/gro-1576-ci-provenance-false"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?