From f1f922f46362cec29a5cbf02a92dfd3fe78dd8a7 Mon Sep 17 00:00:00 2001
From: Janno Kusman <janno.kusman@cyber.ee>
Date: Fri, 20 Sep 2024 15:40:31 +0300
Subject: [PATCH] comment out broken attestation generation for
 cdoc2-server-liquibase image

---
 .github/workflows/docker-release.yml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index b5adf4a..8730123 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -53,11 +53,12 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)."
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v1
-        with:
-          #subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
-          subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+# Broken: generates images with sha256, that fail to start with "unsupported media type application/vnd.oci.empty.v1+json"
+#      - name: Generate artifact attestation
+#        uses: actions/attest-build-provenance@v1
+#        with:
+#          #subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+#          subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
+#          subject-digest: ${{ steps.push.outputs.digest }}
+#          push-to-registry: true