fix: resolve release workflow warnings (tar failures, deprecated attest-sbom) (#990)

* Initial plan

* fix: resolve all 7 release workflow warnings

- Remove duplicate apt cache steps causing tar exit code 2 failures
- Consolidate graphviz into initial apt-get install step
- Replace deprecated actions/attest-sbom@v4.0.0 with actions/attest@v4.1.0
- Change pull_request_target to pull_request in labeler.yml

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>

* fix: revert labeler to pull_request_target and improve readability

- Keep pull_request_target for fork PR labeling support
- Break long apt-get install into readable multi-line format

Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>

Author: Copilot

.github/workflows/release.yml

@@ -50,18 +50,12 @@ jobs:
           echo "version=${VERSION}" >> $GITHUB_OUTPUT
           echo "Version: ${VERSION}"
 
-      - name: Cache apt packages
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-        with:
-          path: /var/cache/apt/archives
-          key: ${{ runner.os }}-apt-${{ hashFiles('.github/workflows/release.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-apt-
-
       - name: Setup display and dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y xvfb libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2t64 libxtst6 xauth
+          sudo apt-get install -y \
+            xvfb libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev \
+            libnss3 libxss1 libasound2t64 libxtst6 xauth graphviz
           sudo mkdir -p /var/run/dbus
           sudo dbus-daemon --system --fork
 
@@ -116,20 +110,6 @@ jobs:
         env:
           CYPRESS_VIDEO: false
 
-      - name: Cache GraphViz packages
-        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-        with:
-          path: /var/cache/apt/archives
-          key: ${{ runner.os }}-apt-graphviz-${{ hashFiles('.github/workflows/release.yml') }}
-          restore-keys: |
-            ${{ runner.os }}-apt-graphviz-
-            ${{ runner.os }}-apt-
-
-      - name: Install GraphViz
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y graphviz
-
       # Run tests with coverage
       - name: Run tests with coverage
         run: npm run coverage
@@ -271,10 +251,11 @@ jobs:
 
       - name: Generate SBOM attestation
         id: attestsbom
-        uses: actions/attest-sbom@07e74fc4e78d1aad915e867f9a094073a9f71527 # v4.0.0
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
           subject-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.zip
-          sbom-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
+          predicate-type: 'https://spdx.dev/Document'
+          predicate-path: cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json
 
       - name: Copy SBOM attestation for zip
         run: cp ${{ steps.attestsbom.outputs.bundle-path }} cia-compliance-manager-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl