fix: use buildx --push --provenance=false to avoid OCI manifest rejection

.gitlab-ci.yml

@@ -4,7 +4,6 @@ variables:
   REGISTRY: registry.itsh.dev
   BACKEND_IMAGE: registry.itsh.dev/vikingowl/marktvogt.de/backend
   WEB_IMAGE: registry.itsh.dev/vikingowl/marktvogt.de/web
-  DOCKER_BUILDKIT: "0"
 
 # ── Backend ─────────────────────────────────────────────────────────────────
 
@@ -18,8 +17,7 @@ backend:docker:
   before_script:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
   script:
-    - docker build -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
-    - docker push "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}"
+    - docker buildx build --push --provenance=false -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       changes: [backend/**/*]
@@ -61,11 +59,11 @@ web:docker:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
   script:
     - |
-      docker build -f web/Dockerfile \
+      docker buildx build --push --provenance=false \
+        -f web/Dockerfile \
         --build-arg PUBLIC_API_BASE_URL=https://api.marktvogt.de \
         --build-arg PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz \
         -t "$WEB_IMAGE:${CI_COMMIT_SHORT_SHA}" web/
-    - docker push "$WEB_IMAGE:${CI_COMMIT_SHORT_SHA}"
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       changes: [web/**/*]