From ee1cef1d85ccddd529e9f405d6e455c5c294f73b Mon Sep 17 00:00:00 2001
From: hongming <hongmingwangrabbit@gmail.com>
Date: Wed, 10 Jun 2026 17:51:14 -0700
Subject: [PATCH] ci(publish): disable buildx provenance/sbom attestations (ECR
 untagged bloat)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The tenant + platform image publish ran 'docker buildx build --push' with
BuildKit's default provenance=mode=min, so EVERY build pushed an OCI image
INDEX plus an untagged provenance attestation manifest as a child. At ~40
builds/day across two ECR accounts (prod + staging mirror) these untagged
manifests accumulated into hundreds of GB — the ECR cost spike.

Builds are single-platform (no --platform), so the index existed ONLY for the
attestation. --provenance=false --sbom=false makes each build push a single
plain image manifest, no untagged children. runtime_image_pins pin by digest
(still valid) and imagetools create copies by digest (unaffected), so nothing
downstream depends on the index/attestations.

Pairs with the new ECR lifecycle policies (untagged>3d) which reap the existing
backlog; this stops the generation at the source.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/publish-workspace-server-image.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitea/workflows/publish-workspace-server-image.yml b/.gitea/workflows/publish-workspace-server-image.yml
index 82efbde19..39aff667f 100644
--- a/.gitea/workflows/publish-workspace-server-image.yml
+++ b/.gitea/workflows/publish-workspace-server-image.yml
@@ -227,6 +227,8 @@ jobs:
             docker login --username AWS --password-stdin "${ECR_REGISTRY}"
           docker buildx build \
             --file ./workspace-server/Dockerfile \
+            --provenance=false \
+            --sbom=false \
             --build-arg GIT_SHA="${GIT_SHA}" \
             --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
             --label "org.opencontainers.image.revision=${GIT_SHA}" \
@@ -285,6 +287,8 @@ jobs:
             if docker buildx build \
                 --builder "${builder}" \
                 --file ./workspace-server/Dockerfile.tenant \
+                --provenance=false \
+                --sbom=false \
                 --build-arg NEXT_PUBLIC_PLATFORM_URL= \
                 --build-arg GIT_SHA="${GIT_SHA}" \
                 --label "org.opencontainers.image.source=https://git.moleculesai.app/molecule-ai/${REPO}" \
-- 
2.52.0