ci: Disable non-OCI-compliant provenance

sse-secure-systems · Feb 27, 2024 · 7d34110 · 7d34110
1 parent 9d914f3
commit 7d34110
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
@@ -65,8 +65,8 @@ runs:
         labels: ${{ inputs.image_labels }}
         file: docker/Dockerfile
         build-args: COSIGN_VERSION=${{ inputs.cosign_version }}
-        sbom: true
-        provenance: true
+        sbom: false  # Duplicates SBOMs manually created below
+        provenance: false  #TODO: Set to false, as resulting format is not OCI (GHCR) compliant (https://github.com/docker/build-push-action/issues/820) and causes problems with GHCR and e.g. image deletion (https://github.com/snok/container-retention-policy/issues/63)
     - name: Create SBOM
       uses: anchore/sbom-action@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1
       with: