From 93fa8c6420f113df03d105f9600113f6b7af7ad8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Jun 2026 06:16:10 +0000 Subject: [PATCH] ci(deps): bump actions/attest Bumps [actions/attest](https://github.com/actions/attest) from 109298582bf81ad578b4e72f0f0893b095a4a135 to a1948c3f048ba23858d222213b7c278aabede763. - [Release notes](https://github.com/actions/attest/releases) - [Changelog](https://github.com/actions/attest/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest/compare/109298582bf81ad578b4e72f0f0893b095a4a135...a1948c3f048ba23858d222213b7c278aabede763) --- updated-dependencies: - dependency-name: actions/attest dependency-version: a1948c3f048ba23858d222213b7c278aabede763 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fce07f8..aebc3d1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: Release +name: Release # Best practice 2026: Trigger on GitHub Release "published" event. # This is more secure than pushing tags directly because: @@ -80,7 +80,7 @@ jobs: # Optional but recommended in 2026: Generate SLSA-style provenance - name: Generate artifact attestation - uses: actions/attest@109298582bf81ad578b4e72f0f0893b095a4a135 + uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 with: subject-path: dist/${{ matrix.artifact }}