From 361bf3f6af1e2e0a326374ee98c001e36afe731b Mon Sep 17 00:00:00 2001
From: Jeremiah Parrack <jeremiahlukus1@gmail.com>
Date: Sat, 6 Jun 2026 15:53:10 -0400
Subject: [PATCH 1/2] Fix release workflow: avoid pushing major-version tags to
 arch-specific repos

GHCR will not overwrite a manifest-list tag with a single-arch image push,
causing docker manifest create to fail with "is a manifest list". Fix by
only pushing the exact version tag to -amd64/-arm64 repos; both manifest
lists (:VERSION and :MAJOR) now reference the exact-version arch images.
Also fix deprecated LABEL syntax warnings in package/Dockerfile.
---
 package/Dockerfile          |  4 ++--
 package/deploy-image-amzn   | 22 ++++++++++------------
 package/deploy-image-debian | 22 ++++++++++------------
 3 files changed, 22 insertions(+), 26 deletions(-)

diff --git a/package/Dockerfile b/package/Dockerfile
index a74dc8b..5b41b6d 100644
--- a/package/Dockerfile
+++ b/package/Dockerfile
@@ -1,4 +1,4 @@
 FROM scratch
-LABEL org.opencontainers.image.source "https://github.com/rails-lambda/crypteia"
-LABEL org.opencontainers.image.description "Rust Lambda Extension for any Runtime to preload SSM Parameters as Secure Environment Variables!"
+LABEL org.opencontainers.image.source="https://github.com/rails-lambda/crypteia"
+LABEL org.opencontainers.image.description="Rust Lambda Extension for any Runtime to preload SSM Parameters as Secure Environment Variables!"
 COPY ./package/opt /opt
diff --git a/package/deploy-image-amzn b/package/deploy-image-amzn
index 565a80b..57ce560 100755
--- a/package/deploy-image-amzn
+++ b/package/deploy-image-amzn
@@ -14,30 +14,28 @@ docker login ghcr.io -u "metaskills" -p $DOCKER_LOGIN_PAT
 BASE_NAME_AMD64="ghcr.io/rails-lambda/crypteia-extension-amzn-amd64"
 docker build \
   --platform linux/amd64 \
-  --tag "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION_MAJOR}" \
   --tag "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
   --file package/Dockerfile .
-docker push "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION_MAJOR}"
 docker push "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}"
 
 ./amzn/setup-arm64
 BASE_NAME_ARM64="ghcr.io/rails-lambda/crypteia-extension-amzn-arm64"
 docker build \
   --platform linux/arm64 \
-  --tag "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION_MAJOR}" \
   --tag "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}" \
   --file package/Dockerfile .
-docker push "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION_MAJOR}"
 docker push "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
 
-docker manifest create \
-  "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION_MAJOR}" \
-  --amend "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION_MAJOR}" \
-  --amend "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION_MAJOR}"
-docker manifest push "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION_MAJOR}"
-
+docker manifest rm "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION}" 2>/dev/null || true
 docker manifest create \
   "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION}" \
-  --amend "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
-  --amend "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
+  "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
+  "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
 docker manifest push "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION}"
+
+docker manifest rm "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION_MAJOR}" 2>/dev/null || true
+docker manifest create \
+  "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION_MAJOR}" \
+  "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
+  "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
+docker manifest push "ghcr.io/rails-lambda/crypteia-extension-amzn:${CRYPTEIA_VERSION_MAJOR}"
diff --git a/package/deploy-image-debian b/package/deploy-image-debian
index 3c0cd06..9a6f08a 100755
--- a/package/deploy-image-debian
+++ b/package/deploy-image-debian
@@ -14,30 +14,28 @@ docker login ghcr.io -u "metaskills" -p $DOCKER_LOGIN_PAT
 BASE_NAME_AMD64="ghcr.io/rails-lambda/crypteia-extension-debian-amd64"
 docker build \
   --platform linux/amd64 \
-  --tag "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION_MAJOR}" \
   --tag "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
   --file package/Dockerfile .
-docker push "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION_MAJOR}"
 docker push "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}"
 
 ./debian/setup-arm64
 BASE_NAME_ARM64="ghcr.io/rails-lambda/crypteia-extension-debian-arm64"
 docker build \
   --platform linux/arm64 \
-  --tag "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION_MAJOR}" \
   --tag "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}" \
   --file package/Dockerfile .
-docker push "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION_MAJOR}"
 docker push "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
 
-docker manifest create \
-  "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION_MAJOR}" \
-  --amend "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION_MAJOR}" \
-  --amend "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION_MAJOR}"
-docker manifest push "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION_MAJOR}"
-
+docker manifest rm "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION}" 2>/dev/null || true
 docker manifest create \
   "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION}" \
-  --amend "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
-  --amend "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
+  "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
+  "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
 docker manifest push "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION}"
+
+docker manifest rm "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION_MAJOR}" 2>/dev/null || true
+docker manifest create \
+  "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION_MAJOR}" \
+  "${BASE_NAME_AMD64}:${CRYPTEIA_VERSION}" \
+  "${BASE_NAME_ARM64}:${CRYPTEIA_VERSION}"
+docker manifest push "ghcr.io/rails-lambda/crypteia-extension-debian:${CRYPTEIA_VERSION_MAJOR}"

From 56279ed8a6dc499cd818dc45296bf8d343e9bcc1 Mon Sep 17 00:00:00 2001
From: Jeremiah Parrack <jeremiahlukus1@gmail.com>
Date: Sat, 6 Jun 2026 17:08:11 -0400
Subject: [PATCH 2/2] Fix manifest list error: disable BuildKit default
 attestations

Newer Docker/BuildKit wraps single-platform builds in an OCI index when
it attaches a provenance attestation manifest. This makes every pushed
image a manifest list, causing docker manifest create to fail with "is a
manifest list". Setting BUILDX_NO_DEFAULT_ATTESTATIONS=1 prevents the
attestation wrapper so arch-specific images are pushed as plain
single-platform manifests.
---
 package/deploy-image-amzn   | 4 ++++
 package/deploy-image-debian | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/package/deploy-image-amzn b/package/deploy-image-amzn
index 57ce560..e957c5d 100755
--- a/package/deploy-image-amzn
+++ b/package/deploy-image-amzn
@@ -10,6 +10,10 @@ CRYPTEIA_VERSION_MAJOR=$(echo "${CRYPTEIA_VERSION}" | cut -d. -f1)
 
 docker login ghcr.io -u "metaskills" -p $DOCKER_LOGIN_PAT
 
+# Prevent BuildKit from wrapping single-platform builds in an OCI index
+# (attestation manifests), which breaks docker manifest create.
+export BUILDX_NO_DEFAULT_ATTESTATIONS=1
+
 ./amzn/setup
 BASE_NAME_AMD64="ghcr.io/rails-lambda/crypteia-extension-amzn-amd64"
 docker build \
diff --git a/package/deploy-image-debian b/package/deploy-image-debian
index 9a6f08a..8d9a198 100755
--- a/package/deploy-image-debian
+++ b/package/deploy-image-debian
@@ -10,6 +10,10 @@ CRYPTEIA_VERSION_MAJOR=$(echo "${CRYPTEIA_VERSION}" | cut -d. -f1)
 
 docker login ghcr.io -u "metaskills" -p $DOCKER_LOGIN_PAT
 
+# Prevent BuildKit from wrapping single-platform builds in an OCI index
+# (attestation manifests), which breaks docker manifest create.
+export BUILDX_NO_DEFAULT_ATTESTATIONS=1
+
 ./bin/setup
 BASE_NAME_AMD64="ghcr.io/rails-lambda/crypteia-extension-debian-amd64"
 docker build \