fix: remove provenance/sbom from per-platform builds, clean up Dockerfile

publish.yml:
- Set provenance: false and sbom: false in per-platform build jobs
  (provenance with push-by-digest produces index digests that break
  the multi-arch manifest merge)
- Remove redundant push: true (already set in outputs)

Dockerfile:
- Remove redundant apt-mark manual ca-certificates (already manual
  from explicit install)
- Clean up PGDG source list and keyring after build
- Remove redundant || exit 1 from HEALTHCHECK

Author: naorpeled

.github/workflows/publish.yml

@@ -61,10 +61,9 @@ jobs:
         uses: docker/build-push-action@v7
         with:
           context: .
-          push: true
           platforms: ${{ matrix.platform }}
-          provenance: true
-          sbom: true
+          provenance: false
+          sbom: false
           labels: ${{ steps.meta.outputs.labels }}
           build-args: |
             PG_VERSION=${{ matrix.pg_version }}

Dockerfile

@@ -40,7 +40,6 @@ RUN set -eux \
     && cd /usr/src/pgvector \
     && make \
     && make install \
-    && apt-mark manual ca-certificates \
     && apt-get purge -y --auto-remove \
         build-essential \
         git \
@@ -51,12 +50,14 @@ RUN set -eux \
         lsb-release \
         gnupg \
     && apt-get clean \
-    && rm -rf /var/lib/apt/lists/* /usr/src/pgvector
+    && rm -rf /var/lib/apt/lists/* /usr/src/pgvector \
+        /etc/apt/sources.list.d/pgdg.list \
+        /usr/share/keyrings/postgresql-archive-keyring.gpg
 
 # Copy initialization scripts
 COPY docker-entrypoint-initdb.d/ /docker-entrypoint-initdb.d/
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
-    CMD pg_isready -U postgres || exit 1
+    CMD pg_isready -U postgres
 
 EXPOSE 5432