The attestation step targets GHCR, but docker/build-push-action exposes the digest for the first image produced by docker/metadata-action. The previous doc snippet listed Docker Hub first, so the attestation attempted to fetch a Docker Hub digest from GHCR, resulting in 404.

Why:

Closes: #40291

docker/build-push-action exposes a single digest output. In practice, that digest aligns with the first image target from the tags generated by docker/metadata-action.
In the original file, Docker Hub (lindon18/glu) was listed before GHCR. The attestation then tried to fetch that digest on GHCR, which did not exist yet → 404.

Error excerpt:

Error: OCIError: Error uploading artifact to container registry
Error: Error fetching https://ghcr.io/v2/glu-lang/glu/manifests/sha256:91bc8e85a2ba...
expected 200, received 404

Run: https://github.com/glu-lang/glu/actions/runs/17557475866/job/49865233829

What's being changed (if available, include any code snippets, screenshots, or gifs):

Fix

Reverse the images order so GHCR comes first. This makes ${{ steps.push.outputs.digest }} point to a manifest that exists on GHCR when the attestation runs.

Minimal diff

- images: |
- my-docker-hub-namespace/my-docker-hub-repository
- ghcr.io/${{ github.repository }}
+ images: |
+ ghcr.io/${{ github.repository }}
+ my-docker-hub-namespace/my-docker-hub-repository

Why it works

• The digest now references the GHCR artifact.
• actions/attest-build-provenance@v2 can fetch the manifest. No more 404.
• Images are still pushed to both registries.

Check off the following:

• A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
• The changes in this PR meet the docs fundamentals that are required for all content.
• All CI checks are passing and the changes look good in the review environment.