As of Buildx 0.10, images are built with provenance -- this behavior is opt-out, and can be disabled with --provenance=false if using the buildx build cli, or provenance: false if using docker/build-push-action.

Images built with these default attestations that use the attestation storage from buildkit cannot be run on Google Cloud Run or AWS Lambda. While both Cloud Run and Lambda support the OCI format, they do not support multi-platform images.

From Google Cloud Run docs (emphasis mine):

Cloud Run accepts container images in the Docker Image Manifest V2, Schema 1, Schema 2, and OCI image formats.

Manifest lists used for Multi-Architecture Images are not supported.

Note

Cloud Run has now added support for processing image indexes: #1533 (comment).

From Lambda docs (emphasis mine):

Lambda provides multi-architecture base images. However, the image you build for your function must target only one of the architectures. Lambda does not support functions that use multi-architecture container images.

Ideally, GCR and Lambda should support multi-platform images, and detect the current platform from the Docker manifest list / OCI index.

As a temporary workaround (in order of preference):

• Users should set --provenance=false on buildx build, or set provenance: false on docker/build-push-action
• Users can force an explicit buildx version to v0.9.1
• Users can force an explicit buildkit version to v0.10