registry.itsh.dev runs Zot, which only accepts OCI image indexes with SLSA
provenance attestations. A plain 'docker build && docker push' produces a
bare manifest and is rejected with 'manifest invalid' — the same gotcha
documented in self-hosted/ente.
The script mirrors that working pattern: buildx with --provenance mode=max,
--platform linux/amd64, integrated --push. Auto-detects the default tag
from cronjob.yaml so build-push and the manifest can't drift; override with
TAG= when releasing a new version.
