ci(ubi-rust-builder): Disable provenance generation (#1427)

* ci(ubi-rust-builder): Disable provenance generation

This fixes the image build failures occurring since the last couple
of days. The issue itself is caused by provenance generation, which
produces an image index manifest instead of an image manifest as
before. This then causes the `docker manifest create` command to
fail, because it cannot create index manifests out of other index
manifests, only normal image manifests.

It seems like that a newer Docker version enabled provenance
generation by default. This GHA workflow does NOT pin the exact
docker (and builder) version we use, which seems like the reason
why this issue started popping up without any changes to the
workflow or the Dockerfile for these images. Going forward, we
should pin the exact Docker version we want to use. This will
be done in a separate PR.

For now we chose to disable provenance entirely even though we
want to use it in general. However, we decided to deal with this
once we start to actively work on provenance across our platform.

* chore: Reorder keys and add blank lines

Author: Techassi

.github/workflows/ubi-rust-builder.yml

@@ -21,27 +21,31 @@ jobs:
   build:
     permissions:
       id-token: write
+    runs-on: ${{ matrix.runner }}
     strategy:
       fail-fast: false
       matrix:
         runner: ["ubuntu-latest", "ubicloud-standard-8-arm-ubuntu-2404"]
         ubi-version: ["ubi9"]
-    runs-on: ${{ matrix.runner }}
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Login to Stackable Harbor
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: oci.stackable.tech
           username: robot$sdp+github-action-build
           password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+
       - name: Set up Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
+
       - name: Determine Architecture
         run: |
           echo "TAG=$(git rev-parse --short HEAD)-$(arch)" >> "$GITHUB_ENV"
+
       - name: Build and push
         id: build-and-push
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
@@ -50,6 +54,8 @@ jobs:
           file: ./${{ matrix.ubi-version }}-rust-builder/Dockerfile
           push: true
           tags: oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder:${{ env.TAG }}
+          provenance: false
+
       - name: Sign the published builder image
         shell: bash
         env:
@@ -59,28 +65,33 @@ jobs:
           # This generates a signature and publishes it to the registry, next to the image
           # Uses the keyless signing flow with Github Actions as identity provider
           cosign sign -y "oci.stackable.tech/sdp/${{ matrix.ubi-version }}-rust-builder@$DIGEST"
+
   create_manifest:
+    name: Create and Push Image Index Manifest
+    needs: ["build"]
     permissions:
       id-token: write
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         ubi-version: ["ubi9"]
-    runs-on: ubuntu-latest
-    needs: ["build"]
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
+
       - name: Login to Stackable Harbor
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: oci.stackable.tech
           username: robot$sdp+github-action-build
           password: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
+
       - name: Set up Cosign
         uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1
-      - name: Build Manifest List
+
+      - name: Create and Push Image Index Manifest
         shell: bash
         run: |
           COMMIT_ID=$(git rev-parse --short HEAD)