fix: upgrade Alpine and Go to resolve trivy issues#1786
Merged
Conversation
|
|
Nandu-pns
force-pushed
the
pns/fix-trivy-issues
branch
from
dacd078 to
6f0fc33
Compare
pranav-new-relic
approved these changes
Feb 16, 2026
pranav-new-relic
added a commit
that referenced
this pull request
Feb 16, 2026
The release workflow failed with a Docker manifest error when trying to create multi-platform manifests. The error message indicated that the individual platform-specific images (e.g., newrelic/cli:v0.106.23-amd64) were already manifest lists, preventing goreleaser from combining them into the final multi-arch manifest. Root cause: - Alpine 3.21 (floating tag) introduced changes in manifest handling - goreleaser v1.15.2 + Docker buildx interaction with multi-platform base images can result in platform-specific builds retaining manifest list metadata instead of being pure single-platform images Fix: - Pin Alpine to specific patch version 3.21.3 - This ensures consistent manifest structure and resolves the buildx manifest list propagation issue Error from failed release: ⨯ release failed after 24s error=docker manifests: failed to publish artifacts: failed to create newrelic/cli:v0.106.23: exit status 1: docker.io/newrelic/cli:v0.106.23-amd64@sha256:... is a manifest list Related: PR #1786 (Alpine upgrade from 3.20.3 to 3.21) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
pranav-new-relic
added a commit
that referenced
this pull request
Feb 16, 2026
The release workflow failed with a Docker manifest error when trying to create multi-platform manifests. The error message indicated that the individual platform-specific images (e.g., newrelic/cli:v0.106.23-amd64) were already manifest lists, preventing goreleaser from combining them into the final multi-arch manifest. Root cause: - Alpine 3.21 (floating tag) introduced changes in manifest handling - goreleaser v1.15.2 + Docker buildx interaction with multi-platform base images can result in platform-specific builds retaining manifest list metadata instead of being pure single-platform images Fix: - Pin Alpine to specific patch version 3.21.3 - This ensures consistent manifest structure and resolves the buildx manifest list propagation issue Error from failed release: ⨯ release failed after 24s error=docker manifests: failed to publish artifacts: failed to create newrelic/cli:v0.106.23: exit status 1: docker.io/newrelic/cli:v0.106.23-amd64@sha256:... is a manifest list Related: PR #1786 (Alpine upgrade from 3.20.3 to 3.21) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
pranav-new-relic
added a commit
that referenced
this pull request
Feb 16, 2026
The release workflow failed with a Docker manifest error when trying to create multi-platform manifests. The error message indicated that the individual platform-specific images (e.g., newrelic/cli:v0.106.23-amd64) were already manifest lists, preventing goreleaser from combining them into the final multi-arch manifest. Root cause: - Alpine 3.21 (floating tag) introduced changes in manifest handling - goreleaser v1.15.2 + Docker buildx interaction with multi-platform base images can result in platform-specific builds retaining manifest list metadata instead of being pure single-platform images Fix: - Pin Alpine to specific patch version 3.21.3 - This ensures consistent manifest structure and resolves the buildx manifest list propagation issue Error from failed release: ⨯ release failed after 24s error=docker manifests: failed to publish artifacts: failed to create newrelic/cli:v0.106.23: exit status 1: docker.io/newrelic/cli:v0.106.23-amd64@sha256:... is a manifest list Related: PR #1786 (Alpine upgrade from 3.20.3 to 3.21)
pranav-new-relic
added a commit
that referenced
this pull request
Feb 16, 2026
Root Cause Analysis: The release workflow has been failing since v0.106.23 with the error: 'docker.io/newrelic/cli:vX.X.X-amd64@sha256:... is a manifest list' This error occurs when goreleaser tries to create multi-platform Docker manifests by combining what it expects to be single-platform images (e.g., -amd64, -arm64 suffixed tags). However, the individual platform images themselves are manifest lists, causing the failure. Root Cause: Between the last successful release (v0.106.22 on Jan 27) and the failed releases, GitHub Actions runners were updated with newer versions of Docker buildx. Recent buildx versions (v0.10+) automatically add build attestations (provenance and SBOM metadata) to images by default. These attestations are stored as separate manifest entries, converting even single-platform builds into manifest lists. When goreleaser's docker_manifests step tries to combine these attestation-containing images into a final multi-arch manifest, Docker rejects it because you cannot create a manifest list from other manifest lists - they must be combined from individual platform manifests. Why Alpine change seemed related: The Alpine upgrade PR (#1786) was coincidentally merged around the same time GitHub updated their runner images with newer buildx. This made it appear that Alpine 3.21 was the cause, but the Alpine version was not the actual issue. Both Alpine 3.20.3 and 3.21.x work fine. Fix: Added '--provenance=false' flag to both amd64 and arm64 Docker builds in .goreleaser.yml. This disables attestation generation, ensuring buildx produces true single-platform images that can be properly combined into multi-arch manifests. Also reverted Alpine to 3.20.3 (last known working version) as a safety measure, though this is not strictly necessary for the fix. Alternative fixes considered: 1. Upgrading goreleaser to v2.x (would require more testing) 2. Using '--output type=docker' (less portable) 3. Disabling buildx entirely (loses multi-platform support) References: - Docker buildx provenance: https://docs.docker.com/build/attestations/ - goreleaser Docker builds: https://goreleaser.com/customization/docker/ - Related issue: goreleaser/goreleaser#4089 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira - https://new-relic.atlassian.net/browse/NR-520529
Trivy scan results after updating the Alpine version
Trivy scan results after updating Go version ( Test performed locally )
Tests performed with the changes