chore: enable OCI artifact type for attestation manifests (#199)

gbartolini · web-flow · commit 947fc7d30f93 · 2026-05-15T17:33:48.000+02:00
BuildKit's default image exporter does not set `artifactType` or the OCI 1.1 Referrers `subject` backlink on attestation manifests. Setting `oci-artifact=true` on the image exporter adds both, so SBOM and provenance attestations become discoverable through the OCI Referrers API. `oci-mediatypes=true` is redundant (BuildKit already defaults it to true when pushing to a registry, which is why the top-level index is already `application/vnd.oci.image.index.v1+json`) but kept for clarity. Same fix as cloudnative-pg/cloudnative-pg#10601, mirroring cloudnative-pg/postgres-containers#436. Closes #198 Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -59,6 +59,9 @@ target "default" {
     BASE = "${getBaseImage(distro, pgVersion)}"
   }
 
+  output = [
+    "type=image,oci-mediatypes=true,oci-artifact=true",
+  ]
   attest = [
     "type=provenance,mode=max",
     "type=sbom"

Original file line number	Diff line number	Diff line change
`@@ -59,6 +59,9 @@ target "default" {`
`59`	`59`	`BASE = "${getBaseImage(distro, pgVersion)}"`
`60`	`60`	`}`
`61`	`61`
	`62`	`+ output = [`
	`63`	`+ "type=image,oci-mediatypes=true,oci-artifact=true",`
	`64`	`+ ]`
`62`	`65`	`attest = [`
`63`	`66`	`"type=provenance,mode=max",`
`64`	`67`	`"type=sbom"`