Migrate examples to docker/build-push-action@v4

Updates to docker/build-push-action@v4 whilst also fixing an
issue introduced by this new version, referenced on

docker/build-push-action#755 (comment)

Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>

posts/2023-01-25-sbom-in-github-actions.md

@@ -174,11 +174,12 @@ jobs:
           registry: ghcr.io
 
       - name: Publish image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           build-args: |
             GitCommit=${{ github.sha }}
           outputs: "type=registry,push=true"
+          provenance: false
           tags: |
             ghcr.io/alexellis/gha-sbom:${{ github.sha }}
 ```
@@ -190,7 +191,7 @@ To generate an SBOM, we just need to update the `docker/build-push-action` to us
 ```yaml
       - name: Local build
         id: local_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           sbom: true
           provenance: false

posts/2023-02-01-multi-arch-docker-github-actions.md

@@ -215,9 +215,10 @@ jobs:
 
       - name: Release build
         id: release_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           outputs: "type=registry,push=true"
+          provenance: false
 +         platforms: linux/amd64,linux/arm/v6,linux/arm64
           build-args: |
             Version=${{  env.TAG }}
@@ -234,7 +235,7 @@ You'll see that we added a `Setup mirror` step, this explained in the [Registry
 
 The `docker/setup-qemu-action@v2` step is responsible for setting up QEMU, which is used to emulate the different CPU architectures.
 
-The `docker/build-push-action@v3` step is responsible for passing in a number of platform combinations such as: `linux/amd64` for cloud, `linux/arm64` for Arm servers and `linux/arm/v6` for Raspberry Pi.
+The `docker/build-push-action@v4` step is responsible for passing in a number of platform combinations such as: `linux/amd64` for cloud, `linux/arm64` for Arm servers and `linux/arm/v6` for Raspberry Pi.
 
 ## What if you're not using GitHub Actions?
 

posts/2023-03-24-how-to-run-multi-arch-builds-natively.md

@@ -89,7 +89,7 @@ jobs:
 
       - name: Release build
         id: release_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           outputs: "type=registry,push=true"
           platforms: linux/amd64,linux/arm64
@@ -98,6 +98,7 @@ jobs:
           build-args: |
             Version=dev
             GitCommit=${{ github.sha }}
+          provenance: false
           tags: |
             ghcr.io/${{ env.REPO_OWNER }}/inlets-operator:${{ github.sha }}-qemu
 ```
@@ -173,12 +174,13 @@ jobs:
 
       - name: Release build
         id: release_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           outputs: "type=registry,push=true"
           platforms: linux/amd64
           file: ./Dockerfile
           context: .
+          provenance: false
           build-args: |
             Version=dev
             GitCommit=${{ github.sha }}
@@ -222,12 +224,13 @@ Then we have the arm64 build which is almost identical, but we specify a differe
 
       - name: Release build
         id: release_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           outputs: "type=registry,push=true"
           platforms: linux/arm64
           file: ./Dockerfile
           context: .
+          provenance: false
           build-args: |
             Version=dev
             GitCommit=${{ github.sha }}
@@ -278,6 +281,8 @@ Note that this is just an example at the moment, but I could make a custom compo
       platforms: amd64,arm64
 ```
 
+As a final note, we recently saw that with upgrading from `docker/build-push-action@v3` to `docker/build-push-action@v4`, buildx no longer publishes an image, but a manifest for each architecture. This is because a new "provenance" feature is enabled which under the hood is publishing multiple artifacts instead of a single image. We've turned this off with `provenance: false` and [are awaiting a response from Docker](https://github.com/docker/build-push-action/issues/755#issuecomment-1607792956) on how to enable provenance for multi-arch images built with a split build.
+
 ## Wrapping up
 
 Yesterday we took a new customer on for actuated who wanted to improve the speed of Arm builds, but on the call we both knew they would need to leave QEMU behind. I put this write-up together to show what would be involved, and I hope it's useful to you.