From 9e1749bc4de155896343b654dddb787c02d1e5e2 Mon Sep 17 00:00:00 2001
From: teriusu <ilbbke@gmail.com>
Date: Wed, 6 May 2026 11:20:50 +0900
Subject: [PATCH] fix: disable buildx attestations to prevent orphan parent
 index in GCR

Modern Docker (BuildKit / buildx default) generates provenance and SBOM
attestations on every build. The pushed artifact is then an OCI image
index referencing the actual image manifest plus attestation manifests.

GCR retains the parent index even after its tag is overwritten by the
next push, leaving it as an orphan that still references the previous
child manifest. When crunchy later tries to delete old image digests
during cleanup, gcloud rejects the delete with HTTP 400:

  Manifest is still referenced by one or more parent images:
  failed precondition manifest has referenced parents

Switch to `docker buildx build` with `--provenance=false` and
`--sbom=false` so each build produces a plain single-manifest image,
eliminating the orphan parent index entirely. `--load` keeps the
existing two-step build/push flow so digest parsing from `docker push`
output is unchanged.

Affects every consumer of crunchy (oxus, ozon, finals, starrail, ...).
---
 main.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/main.go b/main.go
index 43370c3..0d531e7 100644
--- a/main.go
+++ b/main.go
@@ -163,7 +163,21 @@ func run(cfg *config) error {
 	}
 
 	logStep(cfg, "Building Docker...")
-	if err := runCommandStreaming(cfg.workdir, "docker", "build", "--platform", "linux/amd64", "-t", imageTag, "."); err != nil {
+	// Use `docker buildx build` with provenance/SBOM attestations disabled so the
+	// pushed artifact is a single image manifest rather than an OCI image index
+	// that references separate attestation manifests. When attestations are on
+	// (the BuildKit default since Docker 23+), GCR ends up with an orphan parent
+	// index that holds references to the child manifest, which then causes
+	// `gcloud container images delete` during cleanup to fail with:
+	//   "Manifest is still referenced by one or more parent images".
+	if err := runCommandStreaming(cfg.workdir, "docker", "buildx", "build",
+		"--platform", "linux/amd64",
+		"--provenance=false",
+		"--sbom=false",
+		"--load",
+		"-t", imageTag,
+		".",
+	); err != nil {
 		return fmt.Errorf("docker build: %w", err)
 	}