Disable buildx provenance and add publish dry-run check#633
Merged
Disable buildx provenance and add publish dry-run check#633
Conversation
Add a publish_check workflow that runs on PRs and exercises the full publish flow for the most demanding build variant (pg18-all amd64). This builds, pushes to test tags, and validates that the image digests are compatible with docker manifest create (i.e. not manifest lists). This catches disk space, build, and manifest issues before they reach the publish workflow on master.
Buildx with the docker-container driver wraps images in an OCI index when provenance attestations are enabled (the default). This causes docker manifest create --amend to fail with "is a manifest list" because the per-platform digests point to manifest lists rather than single images.
tjgreen42
force-pushed
the
fix-provenance-and-publish-check
branch
from
c009de8 to
cd68fa8
Compare
tjgreen42
added a commit
that referenced
this pull request
Feb 13, 2026
Cherry-pick the publish_check workflow WITHOUT the --provenance=false fix. This PR should fail at the "Validate digests" step, proving the check catches the manifest list issue. See #633.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two commits, structured so the first one should fail and the second fixes it:
Add publish dry-run check workflow — Runs on PRs and exercises the full publish flow for the most demanding build variant (pg18-all amd64 = 4 PG versions with all extensions and debug symbols). Builds, pushes to
-cichecktest tags on Docker Hub, and validates that the image digests are compatible withdocker manifest create. Can be configured as a required status check. This is motivated by repeated publish workflow breaks on master (Install debugsymbol packages for extensions we use #630 broke the build with disk space exhaustion, and the fix in Free more disk space on CI runners #632 unmasked a pre-existing manifest creation failure from buildx provenance attestations).Disable buildx provenance (
--provenance=false) — Buildx with the docker-container driver wraps images in an OCI index when provenance attestations are enabled (the default). This causesdocker manifest create --amendto fail because the per-platform digests point to manifest lists rather than single images. This wasn't introduced by a repo change — it's a buildx default that was masked while builds were failing. (failed run)Testing
The publish check workflow will run on this PR. The first run (commit 1 only) should fail at the "Validate digests" step, proving the check catches the provenance issue. After the second commit is picked up, it should pass.