Skip to content

Fix release image provenance #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

Fix release image provenance #62

merged 1 commit into from
Nov 14, 2025

Conversation

@tgrunnagle
Copy link
Collaborator

@tgrunnagle tgrunnagle commented Nov 13, 2025
edited
Loading

Address #38 (which is now manifesting as WARN MCP server mcp-optimizer:latest has no provenance information set, skipping image verification)

Issue
When you build for multiple platforms (platforms: linux/amd64,linux/arm64) with provenance: true, the attestation gets created but may not be properly associated with the manifest list. This is a known limitation in Docker buildx when dealing with multi-platform builds.

Solution
Use provenance: mode=max - This ensures provenance is properly attached even for multi-platform builds:

@tgrunnagle
Fix release image provenance
9fa957e 
 **Issue**
When you build for multiple platforms (`platforms: linux/amd64,linux/arm64`) with `provenance: true`, the attestation gets created but may not be properly associated with the manifest list. This is a known limitation in Docker buildx when dealing with multi-platform builds.

**Solution**
Use `provenance: mode=max` - This ensures provenance is properly attached even for multi-platform builds:
@claude
Copy link

claude bot commented Nov 13, 2025

PR Review

Summary: This PR fixes provenance attestation for multi-platform Docker builds by changing provenance: true to provenance: mode=max.

✅ Strengths

  • Correct fix: Using mode=max is the recommended approach for multi-platform builds with Docker buildx
  • Minimal change: Single-line change reduces risk
  • Well documented: PR description clearly explains the issue and solution

📝 Observations

  • The change aligns with Docker buildx best practices for multi-platform manifest lists
  • SBOM generation (line 71) remains enabled, which is good for supply chain security
  • Cosign signing workflow (lines 73-88) will continue to work correctly with this change

✓ No Issues Found

  • No code quality concerns
  • No security regressions
  • No breaking changes
  • Performance impact is negligible (build-time only)
  • Change follows repository conventions

Recommendation: ✅ Approve and merge

@tgrunnagle tgrunnagle linked an issue Nov 13, 2025 that may be closed by this pull request
MCP server ghcr.io/stackloklabs/mcp-optimizer:0.0.4 failed image verification #38
Closed
@tgrunnagle tgrunnagle merged commit 38125d4 into main Nov 14, 2025
6 checks passed
@tgrunnagle tgrunnagle deleted the issue_38_2025-11-13 branch November 14, 2025 13:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ptelang ptelang ptelang approved these changes

@therealnb therealnb Awaiting requested review from therealnb

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCP server ghcr.io/stackloklabs/mcp-optimizer:0.0.4 failed image verification

3 participants

@tgrunnagle @ptelang