From c9cc80b2afefd2b3456f6e6aedafdbf43f409bc6 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 16 Feb 2026 10:54:57 +0100 Subject: [PATCH 1/4] Disable provenance/SBOM attestations A recent update probably enabled those and that turned our single-platform container images into manifests. And we cannot manually create the latest manifest if our images are manifests as well. --- .github/workflows/build-and-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 14f9e46..71cc224 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -42,6 +42,8 @@ jobs: context: . platforms: linux/${{ matrix.arch }} load: true + provenance: false + sbom: false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} From 4cee1406b77ec0496c3a8def13aaae068bf9b0b1 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 16 Feb 2026 12:19:34 +0100 Subject: [PATCH 2/4] Update docker/build-push-action to version 6 --- .github/workflows/build-and-push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 71cc224..2c93118 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -37,7 +37,7 @@ jobs: - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 with: context: . platforms: linux/${{ matrix.arch }} From 93ceaabc074f1b28319bd43c1489ec4396272678 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 17 Feb 2026 12:04:26 +0100 Subject: [PATCH 3/4] Add verification step for single-platform images --- .github/workflows/build-and-push.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 2c93118..6ed3dd6 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -42,11 +42,32 @@ jobs: context: . platforms: linux/${{ matrix.arch }} load: true - provenance: false - sbom: false tags: | fedorapython/fedora-python-tox:${{ matrix.arch }} fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} + - name: Verify single-platform image + run: | + # Inspect the local image + image_info=$(docker image inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) + + # Check that we got exactly one image (not a manifest list) + image_count=$(echo "$image_info" | jq '. | length') + if [ "$image_count" != "1" ]; then + echo "ERROR: Expected 1 image, found $image_count" + exit 1 + fi + + # Get the architecture + arch=$(echo "$image_info" | jq -r '.[0].Architecture') + os=$(echo "$image_info" | jq -r '.[0].Os') + + echo "✓ Verified: Image is single-platform ($os/$arch)" + + # Verify it matches the expected architecture + if [ "$arch" != "${{ matrix.arch }}" ]; then + echo "ERROR: Architecture mismatch! Expected ${{ matrix.arch }}, got $arch" + exit 1 + fi - name: Test local project env: TOXENV: ${{ matrix.toxenv }} From 6e13b40b426a948beb874d6b59d2c2fa09c02a24 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Tue, 17 Feb 2026 13:41:12 +0100 Subject: [PATCH 4/4] Use manifest inspect in the verification step, not image inspect --- .github/workflows/build-and-push.yml | 29 ++++++++++++---------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml index 6ed3dd6..737789f 100644 --- a/.github/workflows/build-and-push.yml +++ b/.github/workflows/build-and-push.yml @@ -47,27 +47,22 @@ jobs: fedorapython/fedora-python-tox:${{ matrix.arch }}-f${{ env.FEDORA_VERSION }} - name: Verify single-platform image run: | - # Inspect the local image - image_info=$(docker image inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) + # Inspect the manifest + manifest=$(docker manifest inspect fedorapython/fedora-python-tox:${{ matrix.arch }}) - # Check that we got exactly one image (not a manifest list) - image_count=$(echo "$image_info" | jq '. | length') - if [ "$image_count" != "1" ]; then - echo "ERROR: Expected 1 image, found $image_count" - exit 1 - fi - - # Get the architecture - arch=$(echo "$image_info" | jq -r '.[0].Architecture') - os=$(echo "$image_info" | jq -r '.[0].Os') + # For single-platform images, manifests should be null + # For multi-platform or images with attestations, manifests is an array + manifests=$(echo "$manifest" | jq '.manifests') - echo "✓ Verified: Image is single-platform ($os/$arch)" - - # Verify it matches the expected architecture - if [ "$arch" != "${{ matrix.arch }}" ]; then - echo "ERROR: Architecture mismatch! Expected ${{ matrix.arch }}, got $arch" + if [ "$manifests" != "null" ]; then + manifest_count=$(echo "$manifests" | jq '. | length') + echo "ERROR: Image has a manifest list with $manifest_count entries (expected null for single-platform)!" + echo "This usually means attestations are enabled or it's a multi-platform image." + echo "$manifests" | jq '.[] | {platform: .platform, digest: .digest, annotations: .annotations}' exit 1 fi + + echo "✓ Verified: Image is single-platform (manifests: null)" - name: Test local project env: TOXENV: ${{ matrix.toxenv }}