From 4ad2be71f7be920785b2a1d15fbd29b6118219d3 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 16 Feb 2026 10:31:01 +0100
Subject: [PATCH 1/2] ci(ubi-rust-builder): Disable provenance generation

This fixes the image build failures occurring since the last couple
of days. The issue itself is caused by provenance generation, which
produces an image index manifest instead of an image manifest as
before. This then causes the `docker manifest create` command to
fail, because it cannot create index manifests out of other index
manifests, only normal image manifests.

It seems like that a newer Docker version enabled provenance
generation by default. This GHA workflow does NOT pin the exact
docker (and builder) version we use, which seems like the reason
why this issue started popping up without any changes to the
workflow or the Dockerfile for these images. Going forward, we
should pin the exact Docker version we want to use. This will
be done in a separate PR.

For now we chose to disable provenance entirely even though we
want to use it in general. However, we decided to deal with this
once we start to actively work on provenance across our platform.
---
 .github/workflows/ubi-rust-builder.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ubi-rust-builder.yml b/.github/workflows/ubi-rust-builder.yml
index 4f5abcdec..11e58a6fe 100644
--- a/.github/workflows/ubi-rust-builder.yml
+++ b/.github/workflows/ubi-rust-builder.yml
@@ -50,6 +50,7 @@ jobs:
           file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile
           push: true
           tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
+          provenance: false
       - name: Sign the published builder image
         shell: bash
         env:

From 155fd6c2da68a038f4ed59d2a1f41d40fc4c03a3 Mon Sep 17 00:00:00 2001
From: Techassi <git@techassi.dev>
Date: Mon, 16 Feb 2026 10:33:17 +0100
Subject: [PATCH 2/2] chore: Reorder keys and add blank lines

---
 .github/workflows/ubi-rust-builder.yml | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ubi-rust-builder.yml b/.github/workflows/ubi-rust-builder.yml
index 11e58a6fe..94638515e 100644
--- a/.github/workflows/ubi-rust-builder.yml
+++ b/.github/workflows/ubi-rust-builder.yml
@@ -21,27 +21,31 @@ jobs:
   build:
     permissions:
       id-token: write
+    runs-on: ${{ matrix.runner }}
     strategy:
       fail-fast: false
       matrix:
         runner: ["ubuntu-latest", "ubicloud-standard-8-arm-ubuntu-2404"]
         ubi-version: ["ubi9"]
-    runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Login to Stackable Harbor
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: oci.stackable.tech
           username: robot$sdp+github-action-build
           password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+
       - name: Set up Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+
       - name: Determine Architecture
         run: |
           echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV"
+
       - name: Build and push
         id: build-and-push
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
@@ -51,6 +55,7 @@ jobs:
           push: true
           tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
           provenance: false
+
       - name: Sign the published builder image
         shell: bash
         env:
@@ -60,28 +65,33 @@ jobs:
           # This generates a signature and publishes it to the registry, next to the image
           # Uses the keyless signing flow with Github Actions as identity provider
           cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@$DIGEST"
+
   create_manifest:
+    name: Create and Push Image Index Manifest
+    needs: ["build"]
     permissions:
       id-token: write
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         ubi-version: ["ubi9"]
-    runs-on: ubuntu-latest
-    needs: ["build"]
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Login to Stackable Harbor
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: oci.stackable.tech
           username: robot$sdp+github-action-build
           password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+
       - name: Set up Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
-      - name: Build Manifest List
+
+      - name: Create and Push Image Index Manifest
         shell: bash
         run: |
           COMMIT_ID=$(git rev-parse --short HEAD)