docker-bake.hcl: emit attestation manifests as OCI artifacts (set `oci-artifact=true`)

[gbartolini]

Images published by this repo carry SBOM and SLSA provenance attestations (attest = ["type=provenance,mode=max", "type=sbom"] in docker-bake.hcl). However, the resulting attestation manifests are emitted in BuildKit's legacy Docker format rather than as OCI 1.1 artifacts.

As a result, the attestations are not discoverable through the OCI Referrers API, as they are missing both artifactType and the subject backlink to the parent image manifest.

Same issue and fix as in cloudnative-pg/cloudnative-pg#10601 and cloudnative-pg/postgres-extensions-containers#198.

How to verify

The index references the attestation manifests with the legacy Docker annotations (vnd.docker.reference.{digest,type}) and architecture: unknown placeholders, instead of OCI 1.1 referrers:

  $ docker buildx imagetools inspect --raw
  ghcr.io/cloudnative-pg/postgresql:18-minimal-trixie
  {
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.index.v1+json",
    "manifests": [
      {
        "mediaType": "application/vnd.oci.image.manifest.v1+json",
        "digest":
  "sha256:b87c274ecf7efee1877c8c5a4788c428f42eea3c5cfd33079272c597160802a1",
        "size": 1946,
        "platform": { "architecture": "amd64", "os": "linux" }
      },
      {
        "mediaType": "application/vnd.oci.image.manifest.v1+json",
        "digest":
  "sha256:996d2122e4e4899ca976fde7f774932365d29d5cc56ba44ec6cc25c10097a9f0",
        "size": 1946,
        "platform": { "architecture": "arm64", "os": "linux" }
      },
      {
        "mediaType": "application/vnd.oci.image.manifest.v1+json",
        "digest":
  "sha256:808d6200741269a215925b71c363f9082e72982f851783816dc778affcd1430d",
        "size": 839,
        "annotations": {
          "vnd.docker.reference.digest":
  "sha256:b87c274ecf7efee1877c8c5a4788c428f42eea3c5cfd33079272c597160802a1",
          "vnd.docker.reference.type": "attestation-manifest"
        },
        "platform": { "architecture": "unknown", "os": "unknown" }
      },
      {
        "mediaType": "application/vnd.oci.image.manifest.v1+json",
        "digest":
  "sha256:50b8a2cdb9c727c477ff358585ec87448f4135e5a73b402b33bc131c2f8db993",
        "size": 839,
        "annotations": {
          "vnd.docker.reference.digest":
  "sha256:996d2122e4e4899ca976fde7f774932365d29d5cc56ba44ec6cc25c10097a9f0",
          "vnd.docker.reference.type": "attestation-manifest"
        },
        "platform": { "architecture": "unknown", "os": "unknown" }
      }
    ]
  }

The attestation manifest itself (digest ending in b993) is missing both artifactType and subject:

  $ docker buildx imagetools inspect --raw
  ghcr.io/cloudnative-pg/postgresql:18-minimal-trixie@sha256:50b8a2cdb9c727c477f
  f358585ec87448f4135e5a73b402b33bc131c2f8db993
  {
    "schemaVersion": 2,
    "mediaType": "application/vnd.oci.image.manifest.v1+json",
    "config": {
      "mediaType": "application/vnd.oci.image.config.v1+json",
      "digest":
  "sha256:be045a773a5008202071a16607335e7ffb2c64c5ceccd945ab43ad956cd4c339",
      "size": 241
    },
    "layers": [
      {
        "mediaType": "application/vnd.in-toto+json",
        "digest":
  "sha256:2cfea57a862eb6263e488cffc7e47fdbd8300ab68fcbc4b6ee4ffd3437e3380c",
        "size": 4361481,
        "annotations": { "in-toto.io/predicate-type":
  "https://spdx.dev/Document" }
      },
      {
        "mediaType": "application/vnd.in-toto+json",
        "digest":
  "sha256:56853fb72f77ed70525ba222d6178b16b0df689672f2d483e7a0831bf6eb4c68",
        "size": 19307,
        "annotations": { "in-toto.io/predicate-type":
  "https://slsa.dev/provenance/v1" }
      }
    ]
  }

Note the absence of artifactType and subject at the top level (these are exactly what the Referrers API needs).