fix: GHCR attestation example by listing GHCR first in metadata images

[LindonAliu]

The attestation step targets GHCR, but docker/build-push-action exposes the digest for the first image produced by docker/metadata-action. The previous doc snippet listed Docker Hub first, so the attestation attempted to fetch a Docker Hub digest from GHCR, resulting in 404.

Why:

Closes: #40291

docker/build-push-action exposes a single digest output. In practice, that digest aligns with the first image target from the tags generated by docker/metadata-action.
In the original file, Docker Hub (lindon18/glu) was listed before GHCR. The attestation then tried to fetch that digest on GHCR, which did not exist yet → 404.

Error excerpt:

Error: OCIError: Error uploading artifact to container registry
Error: Error fetching https://ghcr.io/v2/glu-lang/glu/manifests/sha256:91bc8e85a2ba...
expected 200, received 404

Run: https://github.com/glu-lang/glu/actions/runs/17557475866/job/49865233829

What's being changed (if available, include any code snippets, screenshots, or gifs):

Fix

Reverse the images order so GHCR comes first. This makes ${{ steps.push.outputs.digest }} point to a manifest that exists on GHCR when the attestation runs.

Minimal diff

-          images: |
-            my-docker-hub-namespace/my-docker-hub-repository
-            ghcr.io/${{ github.repository }}
+          images: |
+            ghcr.io/${{ github.repository }}
+            my-docker-hub-namespace/my-docker-hub-repository

Why it works

• The digest now references the GHCR artifact.
• actions/attest-build-provenance@v2 can fetch the manifest. No more 404.
• Images are still pushed to both registries.

Check off the following:

• A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
• The changes in this PR meet the docs fundamentals that are required for all content.
• All CI checks are passing and the changes look good in the review environment.

[welcome]

Thanks for opening this pull request! A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[Copilot]

Pull Request Overview

This PR fixes a Docker attestation issue in the GitHub Actions workflow example by reordering the image list in the metadata action. The problem occurred because the attestation step targets GHCR but was trying to fetch a Docker Hub digest, resulting in a 404 error.

Key changes:

• Reorders the image list in docker/metadata-action to prioritize GHCR over Docker Hub
• Ensures the digest output from docker/build-push-action points to an existing GHCR manifest

[github-actions]

How to review these changes 👓

Thank you for your contribution. To review these changes, choose one of the following options:

• Spin up a codespace
• Set up a local development environment

A Hubber will need to deploy your changes internally to review.

Table of review links

Note: Please update the URL for your staging server or codespace.

The table shows the files in the content directory that were changed in this pull request. This helps you review your changes on a staging server. Changes to the data directory are not included in this table.

Source	Review	Production	What Changed
actions/tutorials/publish-packages/publish-docker-images.md	fpt ghec ghes@ 3.17 3.16 3.15 3.14	fpt ghec ghes@ 3.17 3.16 3.15 3.14

Key: fpt: Free, Pro, Team; ghec: GitHub Enterprise Cloud; ghes: GitHub Enterprise Server

🤖 This comment is automatically generated.

[Sharra-writes]

@LindonAliu Thanks for opening a PR and issue! I'll get an SME to review it and get back to you.

[Moradjan]