From 9e93d026027441a04d5038ba7b1af2224796c689 Mon Sep 17 00:00:00 2001
From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
Date: Mon, 2 Feb 2026 10:36:43 -0500
Subject: [PATCH] Switch provenance from mode=max to mode=min to reduce image
 size

mode=max embeds full build logs and environment as attestation layers,
roughly doubling the reported image size. mode=min still satisfies
provenance compliance with minimal metadata overhead.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .gitea/workflows/publish.yaml      | 2 +-
 .gitea/workflows/rebuild.yaml      | 2 +-
 .gitea/workflows/update-check.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml
index d3b5c45..9ad1a6e 100644
--- a/.gitea/workflows/publish.yaml
+++ b/.gitea/workflows/publish.yaml
@@ -126,7 +126,7 @@ jobs:
           file: /tmp/Dockerfile
           push: true
           sbom: true
-          provenance: mode=max
+          provenance: mode=min
           tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.tag.outputs.suffix }}
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
diff --git a/.gitea/workflows/rebuild.yaml b/.gitea/workflows/rebuild.yaml
index e37da6f..e8a0ddf 100644
--- a/.gitea/workflows/rebuild.yaml
+++ b/.gitea/workflows/rebuild.yaml
@@ -118,7 +118,7 @@ jobs:
           file: /tmp/Dockerfile
           push: true
           sbom: true
-          provenance: mode=max
+          provenance: mode=min
           tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}
diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml
index a228280..b80b194 100644
--- a/.gitea/workflows/update-check.yaml
+++ b/.gitea/workflows/update-check.yaml
@@ -208,7 +208,7 @@ jobs:
           file: /tmp/Dockerfile
           push: true
           sbom: true
-          provenance: mode=max
+          provenance: mode=min
           tags: |
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-latest
             ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.version_tag }}