https://github.com/dependabot/cli/attestations has attestations only for executables within archives, even though the intent in the workflow seems to be to provide them for archives, too:
|
- uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.3.3 |
|
with: |
|
subject-path: | |
|
${{ steps.go_release.outputs.release_asset_dir }}/* |
|
dependabot-${{ github.ref_name}}-${{ matrix.goos }}-${{ matrix.goarch }}.tar.gz |
|
dependabot-${{ github.ref_name}}-${{ matrix.goos }}-${{ matrix.goarch }}.zip |
Maybe the archive artifact names in subject-path are not correct?
https://github.com/dependabot/cli/attestations has attestations only for executables within archives, even though the intent in the workflow seems to be to provide them for archives, too:
cli/.github/workflows/release.yml
Lines 40 to 45 in f12cbee
Maybe the archive artifact names in
subject-pathare not correct?