From 2c518bbd70ce63d1ae8683c0e506ac75829643c0 Mon Sep 17 00:00:00 2001
From: Kane Zhu <843303+zxkane@users.noreply.github.com>
Date: Thu, 27 Nov 2025 18:53:39 +0800
Subject: [PATCH] fix(docker): add --provenance=false --sbom=false for Lambda
 compatibility

Docker BuildKit (especially with docker-container driver) may create
OCI image manifests with attestations that AWS Lambda does not support.
Lambda requires Docker V2 Schema 2 format without multi-manifest index.

This fix ensures the build script generates Lambda-compatible images
regardless of the user's Docker/BuildKit configuration.

Fixes #206
---
 scripts/push-to-ecr.sh | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/scripts/push-to-ecr.sh b/scripts/push-to-ecr.sh
index 2f2d633..b3fa76e 100755
--- a/scripts/push-to-ecr.sh
+++ b/scripts/push-to-ecr.sh
@@ -78,7 +78,19 @@ build_and_push_image() {
     echo "Building $IMAGE_NAME:$TAG..."
 
     # Build Docker image
-    docker buildx build --platform linux/$ARCH -t $IMAGE_NAME:$TAG -f $DOCKERFILE_PATH --load ../src/
+    # Note: --provenance=false and --sbom=false are required for Lambda compatibility
+    # Without these flags, Docker BuildKit (especially with docker-container driver) may create
+    # OCI image manifests with attestations that AWS Lambda does not support.
+    # Lambda requires Docker V2 Schema 2 format without multi-manifest index.
+    # See: https://github.com/aws-samples/bedrock-access-gateway/issues/206
+    docker buildx build \
+        --platform linux/$ARCH \
+        --provenance=false \
+        --sbom=false \
+        -t $IMAGE_NAME:$TAG \
+        -f $DOCKERFILE_PATH \
+        --load \
+        ../src/
 
     # Get the account ID
     ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)