From dd7d52e2496d59efe3171a46d7edbf9d717d6e25 Mon Sep 17 00:00:00 2001
From: vikingowl <christian@nachtigall.dev>
Date: Sat, 18 Apr 2026 03:17:20 +0200
Subject: [PATCH] fix(ci): disable SBOM attestations on buildx to unblock
 registry push

Matches woodpeckerci/plugin-docker-buildx defaults. Without --sbom=false
buildkit emits an OCI image index with SBOM attestation that the itsh.dev
registry rejects with 'manifest invalid'. Provenance was already disabled.
---
 .gitlab-ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3470be7..3742051 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -17,7 +17,7 @@ backend:docker:
   before_script:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
   script:
-    - docker buildx build --push --provenance=false -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
+    - docker buildx build --push --provenance=false --sbom=false -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       changes: [backend/**/*]
@@ -59,7 +59,7 @@ web:docker:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
   script:
     - |
-      docker buildx build --push --provenance=false \
+      docker buildx build --push --provenance=false --sbom=false \
         -f web/Dockerfile \
         --build-arg PUBLIC_API_BASE_URL=https://api.marktvogt.de \
         --build-arg PUBLIC_TURNSTILE_SITE_KEY=0x4AAAAAACjLCV-78Ql1oTPz \