cicd: changed initial release version #minor

Author: botprzemek

.github/workflows/publish.yml

@@ -47,16 +47,16 @@ jobs:
     needs: release
     if: needs.release.outputs.part != 'patch'
     runs-on: ${{ matrix.os }}
+    permissions:
+      packages: write
+      contents: read
     strategy:
       matrix:
         include:
           - os: ubuntu-latest
             arch: amd64
           - os: ubuntu-22.04-arm
             arch: arm64
-    permissions:
-      packages: write
-      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -83,6 +83,8 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        env:
+          BUILDX_NO_DEFAULT_ATTESTATIONS: 1
         with:
           platforms: linux/${{ matrix.arch }}
 
@@ -99,6 +101,8 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          provenance: false
+          sbom: false
 
       - name: Build and push Management Docker image
         uses: docker/build-push-action@v6
@@ -112,4 +116,6 @@ jobs:
             ghcr.io/${{ github.repository }}/management:latest
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha  
-          cache-to: type=gha,mode=max
+          cache-to: type=gha,mode=max
+          provenance: false
+          sbom: false

api/Dockerfile

@@ -1,4 +1,4 @@
-FROM rust:latest AS builder
+FROM rust:1.93-slim AS builder
 
 RUN cargo install cargo-chef sccache --locked
 

management/Dockerfile

@@ -1,14 +1,19 @@
-FROM node:latest AS builder
+FROM node:25.6-slim AS builder
 
 WORKDIR /app
 
 COPY --chown=nonroot:nonroot package.json package-lock.json ./
-RUN npm ci
+
+RUN --mount=type=cache,target=/root/.npm \
+    npm ci --prefer-offline
 
 COPY --chown=nonroot:nonroot . .
+
 RUN npm run build
 
-FROM cgr.dev/chainguard/node:latest
+
+
+FROM cgr.dev/chainguard/node:latest AS runner
 
 WORKDIR /app