From a441017fc6a6eb1dd0fa397bf101bb61de5dc0b1 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Mon, 26 Jan 2026 09:29:16 +0100
Subject: [PATCH] don't inline provenance in min mode

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/bake.yml  | 5 ++---
 .github/workflows/build.yml | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml
index 709ebd4..1575a25 100644
--- a/.github/workflows/bake.yml
+++ b/.github/workflows/bake.yml
@@ -612,9 +612,8 @@ jobs:
             await core.group(`Set bake overrides`, async () => {
               bakeOverrides.push('*.tags=');
               if (GitHub.context.payload.repository?.private ?? false) {
-                // if this is a private repository, we set the default provenance
-                // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-                bakeOverrides.push('*.attest=type=provenance,mode=min,inline-only=true,version=v1');
+                // if this is a private repository, we set min provenance mode
+                bakeOverrides.push('*.attest=type=provenance,mode=min,version=v1');
               } else {
                 // for a public repository, we set max provenance mode
                 bakeOverrides.push('*.attest=type=provenance,mode=max,version=v1');
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 08dd418..33786d7 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -535,9 +535,8 @@ jobs:
             core.setOutput('labels', inpLabels.join('\n'));
             
             if (GitHub.context.payload.repository?.private ?? false) {
-              // if this is a private repository, we set the default provenance
-              // attributes being set in buildx: https://github.com/docker/buildx/blob/fb27e3f919dcbf614d7126b10c2bc2d0b1927eb6/build/build.go#L603
-              core.setOutput('provenance', 'mode=min,inline-only=true,version=v1');
+              // if this is a private repository, we set min provenance mode
+              core.setOutput('provenance', 'mode=min,version=v1');
             } else {
               // for a public repository, we set max provenance mode
               core.setOutput('provenance', 'mode=max,version=v1');