From 9fa957efd54635dbb969bcc1f14be678ec430b24 Mon Sep 17 00:00:00 2001
From: Trey <tgrunnagle@gmail.com>
Date: Thu, 13 Nov 2025 10:08:08 -0800
Subject: [PATCH] Fix release image provenance

 **Issue**
When you build for multiple platforms (`platforms: linux/amd64,linux/arm64`) with `provenance: true`, the attestation gets created but may not be properly associated with the manifest list. This is a known limitation in Docker buildx when dealing with multi-platform builds.

**Solution**
Use `provenance: mode=max` - This ensures provenance is properly attached even for multi-platform builds:
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 332feed..63ee518 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -67,7 +67,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          provenance: true
+          provenance: mode=max
           sbom: true
 
       - name: Install Cosign