diff --git a/.github/workflows/update_docker.yml b/.github/workflows/update_docker.yml
index 1e8a56a..09f7aa6 100644
--- a/.github/workflows/update_docker.yml
+++ b/.github/workflows/update_docker.yml
@@ -25,18 +25,22 @@ jobs:
         include:
           - os: "ubuntu"
             release: "jammy"
+            platforms: "linux/amd64,linux/arm64" # linux/riscv64 is on hold - checked 2024-06-06 and it's not at https://hub.docker.com/_/ubuntu/tags?page=&page_size=&ordering=&name=jammy
             cache-from: "type=gha,scope=docker_build_jammy" # all-automatic GitHub Actions caching
             cache-to: "type=gha,scope=docker_build_jammy,mode=max" # all-automatic GitHub Actions caching, max mode
           - os: "debian"
             release: "bookworm"
+            platforms: "linux/amd64,linux/arm64" # linux/riscv64 is on hold - checked 2024-06-06 and it's not at https://hub.docker.com/_/debian/tags?page=&page_size=&ordering=&name=bookworm
             cache-from: "" # no caching
             cache-to: "" # no caching
           - os: "debian"
             release: "sid"
+            platforms: "linux/amd64,linux/arm64" # sid has linux/riscv64, but it doesn't carry packages we need yet (rpardini 2024-06-06)
             cache-from: "" # no caching
             cache-to: "" # no caching
           - os: "ubuntu"
             release: "noble"
+            platforms: "linux/amd64,linux/arm64" # linux/riscv64 is on hold - checked 2024-06-06 and it's not at https://hub.docker.com/_/ubuntu/tags?page=&page_size=&ordering=&name=noble
             cache-from: "type=gha,scope=docker_build_noble" # all-automatic GitHub Actions caching
             cache-to: "type=gha,scope=docker_build_noble,mode=max" # all-automatic GitHub Actions caching, max mode
     name: "${{ matrix.release }} (${{ matrix.os }})"
@@ -96,8 +100,10 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
+          provenance: false # until ghcr.io doesn't show provenance attestations properly, it reports an unknown/unknown "arch" instead. disable
+          sbom: false # no SBOM for now, ghcr.io doesn't support it and pukes
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64 # arm64 is done under qemu and is _very_ slow. Thanks, GitHub!
+          platforms: "${{ matrix.platforms }}"
           pull: true # Pull new version of base image, always; avoid bit-rot
           push: true
           labels: |
@@ -126,8 +132,10 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
+          provenance: false # until ghcr.io doesn't show provenance attestations properly, it reports an unknown/unknown "arch" instead. disable
+          sbom: false # no SBOM for now, ghcr.io doesn't support it and pukes
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64 # arm64 is done under qemu and is _very_ slow. Thanks, GitHub!
+          platforms: "${{ matrix.platforms }}"
           pull: false # Don't pull when retrying
           push: true
           labels: |