🛠️ DAT-19435: add provenance: false

[sayaliM0412]

• This pull request includes changes to the .github/workflows/deploy-extension-to-marketplace.yml file to disable the generation of provenance attestation in two job steps.
• AWS Marketplace listing scanners currently do not support images with attestation layers. They are working on a fix to ignore these layers. In the meanwhile we need to pass provenance:false.
• What is provenance attestation: In the context of Docker builds and container supply chains, provenance attestations refer to metadata that describes how, when, and by whom a container image or artifact was created. Read more about it here: https://docs.docker.com/build/metadata/attestations/slsa-provenance/

Changes to deployment workflow:

• Modified the condition for the build job to correctly compare the dry_run input as a string.
• Added the provenance: false configuration to disable the generation of provenance attestation in two places within the build job.

[StevenMassaro]

AWS Marketplace listing scanners currently do not support images with attestation layers.

This doesn't make sense to me. We have previously published docker images built with this workflow to the AWS marketplace. Is this a new change from AWS?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sayaliM0412]

AWS Marketplace listing scanners currently do not support images with attestation layers.

This doesn't make sense to me. We have previously published docker images built with this workflow to the AWS marketplace. Is this a new change from AWS?

I have already reached out them with the same question.