From 6593a17aea360944e90a93238ad8a7866881b9ae Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Mon, 2 Feb 2026 10:40:49 -0500
Subject: [PATCH] Switch provenance back to mode=max for Docker Scout
 compliance

Attestations are stored as separate manifests in the OCI index, not in
the image layers. Docker pull only fetches the platform manifest, so
mode=max does not affect actual pull size. Docker Scout requires max
mode for full compliance.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/publish.yaml      | 2 +-
 .gitea/workflows/rebuild.yaml      | 2 +-
 .gitea/workflows/update-check.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml
index 9dd4d65..deb1601 100644
--- a/.gitea/workflows/publish.yaml
+++ b/.gitea/workflows/publish.yaml
@@ -125,7 +125,7 @@ jobs:
           file: /tmp/Dockerfile
           push: true
           sbom: true
-          provenance: mode=min
+          provenance: mode=max
           tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
diff --git a/.gitea/workflows/rebuild.yaml b/.gitea/workflows/rebuild.yaml
index 629a015..144a2b0 100644
--- a/.gitea/workflows/rebuild.yaml
+++ b/.gitea/workflows/rebuild.yaml
@@ -117,7 +117,7 @@ jobs:
           file: /tmp/Dockerfile
           push: true
           sbom: true
-          provenance: mode=min
+          provenance: mode=max
           tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml
index 875fb48..030c685 100644
--- a/.gitea/workflows/update-check.yaml
+++ b/.gitea/workflows/update-check.yaml
@@ -205,7 +205,7 @@ jobs:
           file: /tmp/Dockerfile
           push: true
           sbom: true
-          provenance: mode=min
+          provenance: mode=max
           tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}