From 9981668bc5b9235395da4dcaf25e8cc52c82ecbb Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 4 Nov 2025 22:00:08 +0000
Subject: [PATCH] Fix SBOM/provenance manifest list error on PR builds

Fixed error: "docker exporter does not currently support exporting manifest lists"

The issue occurred because SBOM and provenance attestations create manifest
lists, which cannot be loaded to the local Docker daemon (required for PRs).

Changes:
- Made sbom conditional: only enabled for push events (not PRs)
- Made provenance conditional: only enabled for push events (not PRs)
- PRs now build without attestations (faster, avoids manifest list error)
- Production pushes still get full SBOM and provenance attestations

This allows:
- PR builds to complete successfully with load=true
- Production builds to maintain supply chain security features
---
 .github/workflows/docker-build.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 088e5778..1eaad3cc 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -111,5 +111,6 @@ jobs:
           cache-to: type=gha,mode=max
           # Only specify platforms for push (multi-platform), not for load (single-platform only)
           platforms: ${{ (github.event_name != 'pull_request' && github.event_name != 'pull_request_target') && 'linux/amd64,linux/arm64' || '' }}
-          sbom: true
-          provenance: true
+          # SBOM and provenance create manifest lists, incompatible with load (PRs)
+          sbom: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}
+          provenance: ${{ github.event_name != 'pull_request' && github.event_name != 'pull_request_target' }}