You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Upstream has consolidated attest* actions in a single GHA and others are just a passthrough. We should consolidate those and use supported action: https://github.com/actions/attest
PR Review: Move away from deprecated attest action
Gather context and read changed files
Run static analysis checks
Review code changes
Post review feedback
Summary
Static analysis:go build, go vet, and go mod tidy all pass cleanly — no Go code changes in this PR, as expected.
Overall: Good housekeeping PR. The migration from actions/attest-build-provenance@v4 → actions/attest@v4 is straightforward, and the trailing whitespace cleanup is a nice touch.
One concern to verify: The SBOM attestation steps (both in binary_provenance.yml and docker.yml) previously used actions/attest-sbom@v4 which had a native sbom-path input. The consolidated actions/attest@v4 action may not support sbom-path directly — it may require predicate-path + predicate-type instead. Please verify this against the actions/attest README. I've left inline comments on the specific lines.
If actions/attest@v4 does support sbom-path as a passthrough/alias, then this PR is good to go as-is.
What's good
Clean 1:1 migration with no logic changes
Whitespace/trailing space cleanup included
Fixes missing newline at end of file in binary_provenance.yml
mbevc1
changed the title
chore: move away from deprecated attest action
chore: move away from deprecated GHA for attest
Mar 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
mbevc1
changed the title
Upstream has consolidated
attest*actions in a single GHA and others are just a passthrough. We should consolidate those and use supported action: https://github.com/actions/attest