Fix gh attestation download: remove unsupported --format flag (#380)

* Initial plan

* Fix gh attestation download command by removing unsupported --format flag

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* Fix attestation file lookup to use glob pattern instead of direct digest

Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>

* Update .github/workflows/release.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Devanarayanan <fusion@devakesu.com>

* Update .github/workflows/release.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Devanarayanan <fusion@devakesu.com>

---------

Signed-off-by: Devanarayanan <fusion@devakesu.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: devakesu <61821107+devakesu@users.noreply.github.com>
Co-authored-by: Devanarayanan <fusion@devakesu.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.github/workflows/release.yml

@@ -338,11 +338,30 @@ jobs:
             
             if gh attestation download \
               oci://ghcr.io/${{ github.repository_owner }}/${{ steps.prep.outputs.image_name }}@${{ steps.build-push.outputs.digest }} \
-              --owner ${{ github.repository_owner }} \
-              --format json > provenance.intoto.json; then
-              echo "✓ SLSA provenance attestation downloaded successfully"
-              ls -lh provenance.intoto.json
-              exit 0
+              --owner ${{ github.repository_owner }}; then
+              # gh attestation download creates a file named after the digest (e.g., sha256:abc123.jsonl or sha256-abc123.jsonl on Windows)
+              # Find and rename it to a consistent name for easier reference, without using ls|head under set -euo pipefail
+              shopt -s nullglob
+              digest_files=(sha256*.jsonl)
+              if [ ${#digest_files[@]} -gt 0 ]; then
+                DIGEST_FILE="${digest_files[0]}"
+              else
+                DIGEST_FILE=""
+              fi
+              if [ -n "$DIGEST_FILE" ]; then
+                mv "$DIGEST_FILE" provenance.intoto.jsonl
+                echo "✓ SLSA provenance attestation downloaded successfully"
+                ls -lh provenance.intoto.jsonl
+                exit 0
+              else
+                echo "⚠ Could not find downloaded attestation file"
+                echo "Current directory contents:"
+                ls -la
+                echo "Waiting ${SLEEP_TIME}s before retry..."
+                sleep $SLEEP_TIME
+                ATTEMPT=$((ATTEMPT + 1))
+                continue
+              fi
             else
               echo "⚠ Download failed, waiting ${SLEEP_TIME}s before retry..."
               sleep $SLEEP_TIME
@@ -443,7 +462,7 @@ jobs:
           sha256sum sbom.json.bundle >> checksums.txt
           echo "" >> checksums.txt
           echo "## SLSA Provenance Attestation" >> checksums.txt
-          sha256sum provenance.intoto.json >> checksums.txt
+          sha256sum provenance.intoto.jsonl >> checksums.txt
           echo "" >> checksums.txt
           echo "Generated at: $(date -u +'%Y-%m-%d %H:%M:%S UTC')" >> checksums.txt
           echo "" >> checksums.txt
@@ -458,7 +477,7 @@ jobs:
             sbom.json
             sbom.json.bundle
             checksums.txt
-            provenance.intoto.json
+            provenance.intoto.jsonl
 
   # Create GitHub Release with artifacts
   create-github-release:
@@ -645,7 +664,7 @@ jobs:
             ./artifacts/sbom.json.bundle \
             ./artifacts/checksums.txt \
             ./artifacts/VERIFY.md \
-            ./artifacts/provenance.intoto.json \
+            ./artifacts/provenance.intoto.jsonl \
             --draft=false
 
   # Deploy to production after successful release creation