fix: goreleaser distroless failing

[SoulPancake]

Description

stackoverflow thread

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• Chores
  • Updated Docker build configuration for amd64 and arm64 architectures.

[dosubot]

Related Documentation

Checked 8 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[coderabbitai]

Walkthrough

Adds the --provenance=false flag to Docker build configurations for amd64 and arm64 architectures in the goreleaser configuration file. This disables OCI provenance generation during the Docker image build process.

Changes

Cohort / File(s)	Summary
Build Configuration .goreleaser.yaml	Inserts --provenance=false flag into build_flag_templates for both amd64 and arm64 Docker builds, alongside existing --pull and platform flags.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested reviewers

• rhamzeh

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title refers to goreleaser and distroless but doesn't specifically communicate the actual change: adding the OCI provenance flag (--provenance=false) to docker builds.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/goreleaser-multiplatform

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR fixes a goreleaser build failure related to distroless Docker images by disabling Docker buildx's built-in provenance attestation. The repository handles provenance separately through SLSA GitHub workflows, so the built-in provenance needs to be disabled to avoid conflicts with distroless base images.

Changes:

• Added --provenance=false flag to both amd64 and arm64 Docker build configurations
• Added --pull flag to arm64 Docker build configuration (was already present in amd64)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The arm64 Docker build configuration is missing the OCI image labels that are present in the amd64 configuration. The amd64 build includes labels for created date, title, revision, and version (lines 47-50), but these are absent from the arm64 build. This creates an inconsistency between the two image variants and means the arm64 images will lack important metadata.

Suggested change

	- "--provenance=false"
	- "--provenance=false"
	- "--label=org.opencontainers.image.created={{.Date}}"
	- "--label=org.opencontainers.image.title={{.ProjectName}}"
	- "--label=org.opencontainers.image.revision={{.FullCommit}}"
	- "--label=org.opencontainers.image.version={{.Version}}"

[Copilot]

The PR title follows the conventional commit format "fix: goreleaser distroless failing", but the PR description is empty. For better maintainability, the description should explain what problem was being solved (the distroless build failing), how it's being solved (by disabling Docker buildx provenance attestation), and why this solution works. This would help future maintainers understand the context of this change.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.goreleaser.yaml:
- Around line 67-70: The arm64 build_flag_templates block is missing the four
OCI label flags present in the amd64 section; update the arm64
build_flag_templates (the entry containing "--platform=linux/arm64", "--pull",
"--provenance=false") to include the same labels as the amd64 block:
--label=org.opencontainers.image.created={{.Date}},
--label=org.opencontainers.image.title={{.ProjectName}},
--label=org.opencontainers.image.revision={{.FullCommit}}, and
--label=org.opencontainers.image.version={{.Version}} so that
architecture-specific images have the same OCI metadata.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

arm64 build_flag_templates is missing all four OCI label flags present in the amd64 section.

The amd64 section (lines 47–50) defines:

--label=org.opencontainers.image.created={{.Date}}
--label=org.opencontainers.image.title={{.ProjectName}}
--label=org.opencontainers.image.revision={{.FullCommit}}
--label=org.opencontainers.image.version={{.Version}}

None of these are present in the arm64 section. Since this PR is adding flags directly to the arm64 build_flag_templates, the missing labels should be added here as well. The arch-specific arm64 images (e.g., openfga/cli:v1.2.3-arm64) pushed to Docker Hub will be missing standard OCI metadata that tooling, vulnerability scanners, and registries rely on for image provenance and tracking.

🔧 Proposed fix — add missing OCI labels to arm64 section

     build_flag_templates:
       - "--platform=linux/arm64"
       - "--pull"
       - "--provenance=false"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	build_flag_templates:
	- "--platform=linux/arm64"
	- "--pull"
	- "--provenance=false"
	build_flag_templates:
	- "--platform=linux/arm64"
	- "--pull"
	- "--provenance=false"
	- "--label=org.opencontainers.image.created={{.Date}}"
	- "--label=org.opencontainers.image.title={{.ProjectName}}"
	- "--label=org.opencontainers.image.revision={{.FullCommit}}"
	- "--label=org.opencontainers.image.version={{.Version}}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.goreleaser.yaml around lines 67 - 70, The arm64 build_flag_templates block
is missing the four OCI label flags present in the amd64 section; update the
arm64 build_flag_templates (the entry containing "--platform=linux/arm64",
"--pull", "--provenance=false") to include the same labels as the amd64 block:
--label=org.opencontainers.image.created={{.Date}},
--label=org.opencontainers.image.title={{.ProjectName}},
--label=org.opencontainers.image.revision={{.FullCommit}}, and
--label=org.opencontainers.image.version={{.Version}} so that
architecture-specific images have the same OCI metadata.

[rhamzeh]

Oof this is hard - I don't know if I'm good with this. The industry is moving towards provenance for good reason. I feel we'd be taking a big step back here.

Let's take a bit to assess, if this is the only choice, I'd rather revert the other PR, but we can discuss that.