Skip to content

Disable buildx provenance to fix ECR manifest list error#101

Merged
wesleyjellis merged 1 commit intomainfrom
fix/docker-provenance-ecr
Feb 18, 2026
Merged

Disable buildx provenance to fix ECR manifest list error#101
wesleyjellis merged 1 commit intomainfrom
fix/docker-provenance-ecr

Conversation

@wesleyjellis
Copy link
Copy Markdown
Contributor

@wesleyjellis wesleyjellis commented Feb 18, 2026
edited
Loading

Summary

  • Adds --provenance=false to both docker build_flag_templates in .goreleaser.yml
  • Fixes release failure introduced after goreleaser-action was bumped to v6.3.0, which bundled a newer BuildKit that enables provenance attestations by default
  • ECR Public does not support creating a multi-arch manifest list that references an image digest that is itself a manifest list (which is what buildx provenance produces)

Background

CircleCI has a post on this workaround: https://support.circleci.com/hc/en-us/articles/32873043536667-AWS-ECR-provenance-info-creates-confusing-appearance-of-multi-arch-images
There's a 2021 issue documenting a similar fix: aws/containers-roadmap#1596

Unclear why this previously worked? Best theory is

The real trigger isn't the action itself but the GitHub Actions runner environment — runners get updated buildx versions over time. Between the last good release (Aug 5, 2025) and today (Feb 18, 2026), the runner's buildx version crossed the v0.10+ threshold where provenance became default-on.

@wesleyjellis @claude
Disable buildx provenance to fix ECR manifest list error
eff63aa 
Docker buildx enables provenance attestations by default, which causes
each platform image to be pushed as a manifest list rather than a plain
image manifest. ECR Public rejects creating a multi-arch manifest that
references another manifest list, resulting in a release failure.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@eapache-opslevel
Copy link
Copy Markdown
Contributor

eapache-opslevel commented Feb 18, 2026
edited
Loading

Could you please link to a run where this failure has occurred?

after goreleaser-action was bumped to v6.3.0

When did this happen? Why didn't we apply the fix then?

Unclear why this previously worked

What? You just said it was because of the upgraded goreleaser-action "which bundled a newer BuildKit that enables provenance attestations by default".

CircleCI has a post on this workaround: https://support.circleci.com/hc/en-us/articles/32873043536667-AWS-ECR-provenance-info-creates-confusing-appearance-of-multi-arch-images
There's a 2021 issue documenting a similar fix: aws/containers-roadmap#1596

Both of these links appear to be about the ECR user interface display of provenance information and not about any failure to push images.

@eapache-opslevel
Copy link
Copy Markdown
Contributor

eapache-opslevel commented Feb 18, 2026

OK I think I grok:

  • ECR Public does not support nested manifests.
  • Enabling provenance causes buildx to push a manifest even for a single-arch build, because it needs a container to hold both the image and the attestation manifest together.
  • Thus when we try and wrap our various arch-specific images in a manifest, we end up trying to create a nested manifest and 💥
  • Disabling provenance causes our single-arch pushes to be plain images again (rather than manifest->(image+attestation) containers) which makes them safe to wrap.

@wesleyjellis wesleyjellis merged commit 6430deb into main Feb 18, 2026
@wesleyjellis wesleyjellis deleted the fix/docker-provenance-ecr branch February 18, 2026 21:42
@wesleyjellis
Copy link
Copy Markdown
Contributor Author

wesleyjellis commented Feb 18, 2026

Looks like the actual root cause is with goreleaser: goreleaser/goreleaser#6399 and newer versions of docker creating attestation by default

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eapache-opslevel eapache-opslevel eapache-opslevel approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ECR] [console multi-arch support]: Support viewing multi-architecture images in the ECR Console UI correctly

2 participants

@wesleyjellis @eapache-opslevel