diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 216e5c8..4aa9c62 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -174,7 +174,7 @@ jobs: # index digest and stored as an OCI referrer alongside it (verifiable with # `gh attestation verify oci://...`). Same mechanism as the binaries below. - name: Attest image provenance - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1 with: subject-name: ghcr.io/rite-ly/rite subject-digest: ${{ steps.image.outputs.digest }} @@ -267,7 +267,7 @@ jobs: # raw build outputs) means each subject digest matches what a user downloads, so # `gh attestation verify --repo rite-ly/rite` succeeds on the artefact itself. - name: Attest release artifacts - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1 with: subject-path: release/*