From faa63de3c7c26e16431ae69192f1d491cce97cfe Mon Sep 17 00:00:00 2001
From: vikingowl <christian@nachtigall.dev>
Date: Sat, 18 Apr 2026 03:48:37 +0200
Subject: [PATCH] fix(ci): use docker-container driver so buildx emits
 attestations

The default buildx driver inside docker:29-dind is 'docker' (host daemon),
which cannot produce attestations. Even with default provenance enabled,
the docker driver silently drops attestation-related flags and emits a
bare single-image manifest. registry.itsh.dev (Zot with strict attestation
policy) rejects these with 'manifest invalid'.

Creating a 'docker-container' driver builder before each build gives
buildkit full export capabilities, matching both the Woodpecker plugin's
behavior and what works from local development machines.
---
 .gitlab-ci.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 29fff9f..86f9753 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -16,6 +16,7 @@ backend:docker:
     DOCKER_TLS_CERTDIR: "/certs"
   before_script:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
+    - docker buildx create --name ci-builder --driver docker-container --use
   script:
     - docker buildx build --output "type=image,push=true,rewrite-timestamp=true" -f backend/deploy/Dockerfile -t "$BACKEND_IMAGE:${CI_COMMIT_SHORT_SHA}" backend/
   rules:
@@ -57,6 +58,7 @@ web:docker:
     DOCKER_TLS_CERTDIR: "/certs"
   before_script:
     - docker login -u "$REGISTRY_USER" -p "$REGISTRY_PASSWORD" $REGISTRY
+    - docker buildx create --name ci-builder --driver docker-container --use
   script:
     - |
       docker buildx build --output "type=image,push=true,rewrite-timestamp=true" \