opentelemetry-operator icon indicating copy to clipboard operation
opentelemetry-operator copied to clipboard
verified publisher icon open-telemetry

ci: disable provenance and sbom to fix the `unknown/unknown` platform on ghcr

Open gautamkrishnar opened this issue 1 week ago • 4 comments

Description: Added provenance: false and sbom: false parameters to all Docker/build-push-action steps across 12 workflow files. This will fix the issue of ghcr showing unknown/unknown in the GHCR UI.

Caveats: This change disables two security/transparency features:

  1. Provenance Attestations: Provides cryptographically signed build transparency information (build platform, source repository, build parameters)
  2. SBOM (Software Bill of Materials): Provides dependency information for security scanning and compliance

Ref: https://docs.docker.com/build/ci/github-actions/attestations/

I also noticed that you guys are pushing to Docker.io as well. For Docker.io, this fix is not really necessary. Let me know if you guys want to separate the pushing to Docker.io separately enabling both provenance and SBOM.

Link to tracking Issue(s): <Issue number if applicable>

  • Resolves: #3134

Testing: Fixes done as per the discussion here: https://github.com/orgs/community/discussions/45969#discussioncomment-13352049 Documentation: n/a

gautamkrishnar avatar Dec 07 '25 14:12 gautamkrishnar

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: gautamkrishnar / name: Gautam krishna R (bf9a8820a2281e1a7df50e9e7836692a1751b458)

linux-foundation-easycla[bot] avatar Dec 07 '25 14:12 linux-foundation-easycla[bot]

Added provenance: false and sbom: false

Is this config also applied in other OTEL repos?

We might look at https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector-contrib/597299646?tag=0.141.0 and see how they do it.

pavolloffay avatar Dec 08 '25 09:12 pavolloffay

@pavolloffay After examining their repository (https://github.com/open-telemetry/opentelemetry-collector-releases/pkgs/container/opentelemetry-collector-releases%2Fopentelemetry-collector-contrib/597299646?tag=0.141.0), I found that they don't explicitly disable provenance or sbom in their configuration. Instead, they avoid the issue.

This is because they use GoReleaser instead of a direct docker/build-push-action workflow. This issue is specific to the docker/build-push-action.

Why the "unknown/unknown" Issue Occurs

According to the https://github.com/orgs/community/discussions/45969:

  • Docker Buildx now generates attestations by default (provenance and SBOM)
  • These attestations are separate manifests with platform set to "unknown/unknown"
  • GitHub Container Registry's UI displays these as an extra "architecture" entry
  • When using docker/build-push-action with default settings, these attestations get included in the manifest index.

Is this config also applied in other OTEL repos?

Yes, it is applied to the otel repos on DockerHub registry as well. I think it's better to do it only for the GitHub container registry. I had updated the code to do the changes only for GHCR.

gautamkrishnar avatar Dec 08 '25 16:12 gautamkrishnar

I would rather us figure out how to make provenance and sboms work than disable this feature. We should be improving our security posture when possible.

Yes, I also agree with this. Feel free to close this PR if needed. We can ignore this issue for now. Other than some user confusion, this won't cause many issues. We can figure out how to make it. working later.

gautamkrishnar avatar Dec 08 '25 16:12 gautamkrishnar