Fix CI image builds#1399
Merged
Merged
Conversation
It looks like GHCR is serving up the attestation/provenance manifest instead of the actual image. Hopefully having a multiarch build will make the image retrievable.
Collaborator
Author
|
Inspecting the manifest before & after adding a multiarch build: after: I suspect the docker client is expecting a single-arch build to not be wrapped in these attestation blocks. |
They appear to be confusing the docker client and result in "manifest unknown" errors when doing docker pulls
Collaborator
Author
|
For the MATS fixes - simply removing the attestation, and not doing a multiarch build: Before: ➜ docker manifest inspect ghcr.io/noaa-gsl/mats/development/radar:development
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 3343,
"digest": "sha256:5c7e52d289a42c27f22dac606bdddf95a08ad16357ff873c222f46234299f77a",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 565,
"digest": "sha256:4b9224c2a480dab8d659e68998dfbc48f86006469aff5119dc5a725047855851",
"platform": {
"architecture": "unknown",
"os": "unknown"
}
}
]
}
➜ docker buildx imagetools inspect ghcr.io/noaa-gsl/mats/development/radar:development
Name: ghcr.io/noaa-gsl/mats/development/radar:development
MediaType: application/vnd.oci.image.index.v1+json
Digest: sha256:30e206609e285daeb0c7084ff9dbc168fccd00f3d7adf483d7df9daa10a405a2
Manifests:
Name: ghcr.io/noaa-gsl/mats/development/radar:development@sha256:5c7e52d289a42c27f22dac606bdddf95a08ad16357ff873c222f46234299f77a
MediaType: application/vnd.oci.image.manifest.v1+json
Platform: linux/amd64
Name: ghcr.io/noaa-gsl/mats/development/radar:development@sha256:4b9224c2a480dab8d659e68998dfbc48f86006469aff5119dc5a725047855851
MediaType: application/vnd.oci.image.manifest.v1+json
Platform: unknown/unknown
Annotations:
vnd.docker.reference.digest: sha256:5c7e52d289a42c27f22dac606bdddf95a08ad16357ff873c222f46234299f77a
vnd.docker.reference.type: attestation-manifestAfter: ➜ docker manifest inspect ghcr.io/noaa-gsl/mats/development/radar:fix-manifest-unknown-errors
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"digest": "sha256:5c8e8f8719f9c67d56c7e6e5a09cd9a1eb208c297fb39a7ecf57e677b6829590",
"size": 15731
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:9b02e9fcb40102eae20d9d1fc7594b44328f4a3eb9b8a3bdb7db283d10840a30",
"size": 28236282
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:5d4a3aa5a9ad18507bf18000f0280556365b57788f03aca635c4792a79799082",
"size": 3319
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:22c736fe2dee42f2274e133f0fd657bc3a2661f48b034a8adc2ba40bb6fa4b82",
"size": 49837385
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:dad35d9305371ac05c2bdf6de63217e78a5906a5f0335bd26432bbee187aea33",
"size": 1712697
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:079e3008b73419a93cb985863971162eb59bcb78e57f6ef558fc198ad2848d89",
"size": 450
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:3610d9e135371d7bcdfdd66cf5c107f77135210e5d947d38e0a198af47c8a8ca",
"size": 26820114
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:eaeb64e870aa0fde35026788dfb9ef508977eb0f3876a525eae1a187485ee32a",
"size": 7000417
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:174b123497fbaddb53c8e934ba1ccd8eba2066b68cb58ce5c6e0c54ce280aa43",
"size": 9656068
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:f35455497fbc7cc9e434775f72f59986e44e286be5938e7cf5ee44ab3c608096",
"size": 21435598
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:32c5457d5ee878dde933187415cb4a1d3bc5605ef411f8ab52e9a5282cce8713",
"size": 3517625
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:4545443ec35681f08164b4c46fdaac147f9916ebf7f1d2537e5f8a38332b0374",
"size": 90031667
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:9a81ccca818a8696b08092bf4eeca8a56de303562e52795eeade7d99924cce15",
"size": 727
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:4626ae9481d0d4af2cbd3e90b232c6d228be76d30fda1fe6de6adaa032078973",
"size": 266
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:a45f2597bdfcf9aaa6fa6674337822ff09f040a48685f3681045b48ef3c1ccc1",
"size": 10981331
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
"size": 32
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"digest": "sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
"size": 32
}
]
}
➜ docker buildx imagetools inspect ghcr.io/noaa-gsl/mats/development/radar:fix-manifest-unknown-errors
Name: ghcr.io/noaa-gsl/mats/development/radar:fix-manifest-unknown-errors
MediaType: application/vnd.docker.distribution.manifest.v2+json
Digest: sha256:c9e907bc315c2636951be8d7e764840e550c543680e0d480b0229f92ce1a33fe |
Collaborator
Author
|
@mollybsmith-noaa - to test, do: |
mollybsmith-noaa
approved these changes
May 12, 2026
Collaborator
mollybsmith-noaa
left a comment
mollybsmith-noaa
left a comment
There was a problem hiding this comment.
Looks good! Could you make these changes for METexpress as well?
ian-noaa
changed the title
Collaborator
Author
|
Thanks! I'll make sure they're accessible as well. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It looks like GHCR is serving up the attestation/provenance manifest instead of the actual image. Add a multiarch build to the home app, and disable attestations & SBOMs in the MATS single arch images to make the image retrievable by docker pull.
This is most likely a result of switching to buildx & docker build-push-action. (Introduced in #1393) However, it may also be related to docker's switch from Moby to containerd as the storage engine.