BED-7784: disable provenance in publish image step

[StranDutton]

Ticket: https://specterops.atlassian.net/browse/BED-7784

Adds provenance: false to the Push Image step in the publish workflow.

Recent GitHub Actions runner updates changed Docker Buildx's default behavior to include "provenance attestations" (metadata) when pushing images. AWS ECR doesn't support the manifest format used by these attestations, causing the push to fail with a 403 Forbidden. This disables the attestation metadata on push. The image itself not affected.

Already made this change to the build step in this pr, but forgot to make the same change for the publish step which is what I am doing here.

Ref: docker/build-push-action#826

Summary by CodeRabbit

• Chores
  • Updated container build pipeline configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3c145b61-2225-49e2-8489-23e8c188b9a4

📥 Commits

Reviewing files that changed from the base of the PR and between 3966daf and e04a4fc.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

---

Walkthrough

The .github/workflows/publish.yml workflow file is updated to explicitly disable provenance generation for Docker images by adding provenance: false to the docker/build-push-action@v6 step configuration.

Changes

Cohort / File(s)	Summary
Docker Build Configuration .github/workflows/publish.yml	Added provenance: false parameter to the docker/build-push-action@v6 step to disable Docker image provenance generation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• BED-7784: Fix ECR push failure in containerize CI step #182: Applies the same provenance: false configuration change to docker/build-push-action@v6 in a different workflow file.

Poem

🐰 A hop, a skip, through workflows so neat,
One line added makes the config complete!
Provenance disabled, the bunny did cheer,
Docker builds faster throughout the year! 🐳✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: disabling provenance in the publish image step of the GitHub Actions workflow, which matches the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-7784-fix-publish-step

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}