fix(ci): disable sbom/provenance on push step, clean up stale floating tag refs

lelia · lelia · commit a49a6994a867 · 2026-03-20T16:19:31.000-04:00
Signed-off-by: lelia &lt;lelia@socket.dev&gt;
diff --git a/.github/workflows/_docker-pipeline.yml b/.github/workflows/_docker-pipeline.yml
@@ -123,6 +123,11 @@ jobs:
             BUILD_DATE=${{ github.event.repository.updated_at }}
           cache-from: type=gha,scope=${{ inputs.name }}
           cache-to: type=gha,mode=max,scope=${{ inputs.name }}
+          # Disable attestations for the test build — provenance/SBOM cause BuildKit
+          # to pull docker/buildkit-syft-scanner from Docker Hub, which fails with a
+          # repo-scoped token. Attestations are enabled on the push step only.
+          provenance: false
+          sbom: false
 
       # ── Step 2: Smoke test ─────────────────────────────────────────────────
       - name: 🧪 Smoke test
@@ -166,8 +171,11 @@ jobs:
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.event.repository.updated_at }}
           cache-from: type=gha,scope=${{ inputs.name }}
-          provenance: true
-          sbom: true
+          # SBOM and provenance generation pull docker/buildkit-syft-scanner from
+          # Docker Hub, which fails with a repo-scoped token. Disabled until a
+          # token with broader Docker Hub read access is available.
+          provenance: false
+          sbom: false
 
       # Floating major version tags (v2 → latest v2.x.y) have been intentionally
       # removed. Mutable tags are structurally equivalent to :latest and are
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -5,9 +5,8 @@ name: publish-docker
 # Flow: resolve-version → build-test-push → create-release
 #
 # Tag convention:
-#   v2.0.0  — immutable exact release
-#   v2      — floating, always points to latest v2.x.y
-#   See docs/github-action.md → "Pinning strategies" for the tradeoff guide.
+#   v2.0.0  — immutable exact release (floating major tags intentionally not published)
+#   See docs/github-action.md → "Pinning strategies" for the full rationale.
 #
 # Required repository secrets:
 #   DOCKERHUB_USERNAME  — Docker Hub account name
@@ -61,7 +60,7 @@ jobs:
     name: publish (socket-basics)
     needs: resolve-version
     permissions:
-      contents: write   # force-update the floating major version tag (e.g. v2)
+      contents: read
       packages: write   # push images to GHCR
     uses: ./.github/workflows/_docker-pipeline.yml
     with:
