registry.itsh.dev runs Zot, which only accepts OCI image indexes with SLSA
provenance attestations. A plain 'docker build && docker push' produces a
bare manifest and is rejected with 'manifest invalid' — the same gotcha
documented in self-hosted/ente.
The script mirrors that working pattern: buildx with --provenance mode=max,
--platform linux/amd64, integrated --push. Auto-detects the default tag
from cronjob.yaml so build-push and the manifest can't drift; override with
TAG= when releasing a new version.
Multi-stage Alpine build pinned to python:3.14-alpine, with libolm pulled
in only for the runtime layer. K8s manifests cover ServiceAccount, Role
(scoped to a single named Secret), RoleBinding, ConfigMap, RWO PVC, and
the CronJob itself (concurrencyPolicy=Forbid, runAsNonRoot, dropped caps,
readOnlyRootFilesystem). Kustomize overlay targets the tenant-2 namespace.
bootstrap-local.sh prepares ./local/ from a Claude install (honors
CLAUDE_CONFIG_DIR for work/priv splits) and prompts for the Matrix bot
credentials.
vikingowl