GH workflow: docker publish for version tags

Author: GGoetzelmann

.github/workflows/docker_publish.yml

@@ -4,7 +4,15 @@ name: Create and publish a Docker image
 on:
   push:
     branches: ['main']
-
+    tags:
+      - v*
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Git tag to build (e.g., v1.2.3)"
+        required: true
+        type: string
+      
 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
   REGISTRY: ghcr.io
@@ -37,19 +45,22 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        id: buildpush
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: docker/Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           platforms: linux/amd64,linux/arm64
+          provenance: false  # Disable provenance to avoid unknown/unknown
+          sbom: false        # Disable sbom to avoid unknown/unknown
 
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v3
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          subject-digest: ${{ steps.buildpush.outputs.digest }}
+          push-to-registry: true