diff --git a/main.go b/main.go
index 43370c3..0d531e7 100644
--- a/main.go
+++ b/main.go
@@ -163,7 +163,21 @@ func run(cfg *config) error {
 	}
 
 	logStep(cfg, "Building Docker...")
-	if err := runCommandStreaming(cfg.workdir, "docker", "build", "--platform", "linux/amd64", "-t", imageTag, "."); err != nil {
+	// Use `docker buildx build` with provenance/SBOM attestations disabled so the
+	// pushed artifact is a single image manifest rather than an OCI image index
+	// that references separate attestation manifests. When attestations are on
+	// (the BuildKit default since Docker 23+), GCR ends up with an orphan parent
+	// index that holds references to the child manifest, which then causes
+	// `gcloud container images delete` during cleanup to fail with:
+	//   "Manifest is still referenced by one or more parent images".
+	if err := runCommandStreaming(cfg.workdir, "docker", "buildx", "build",
+		"--platform", "linux/amd64",
+		"--provenance=false",
+		"--sbom=false",
+		"--load",
+		"-t", imageTag,
+		".",
+	); err != nil {
 		return fmt.Errorf("docker build: %w", err)
 	}