From 7891372d4ac9de8cf5c6b67892c80c57dfd8d352 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 31 Aug 2025 22:05:12 +0000 Subject: [PATCH 1/2] build(deps): bump actions/attest-build-provenance Bumps the github-actions group with 1 update in the / directory: [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance). Updates `actions/attest-build-provenance` from 2.4.0 to 3.0.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/e8998f949152b193b063cb0ec769d69d929409be...977bb373ede98d70efdf65b84cb5f73e068dcc2a) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 3.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e661ed9b..c4d10f7f4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v5 - uses: ./.github/actions/build-distribution - name: generate build provenance - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip" @@ -43,7 +43,7 @@ jobs: - uses: actions/checkout@v5 - uses: ./.github/actions/packages - name: generate build provenance - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-path: "${{ github.workspace }}/dist/*" @@ -160,7 +160,7 @@ jobs: AGENT_DIR=./build/dist/package/python - name: generate build provenance (containers) - uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0 + uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 with: subject-name: "${{ env.DOCKER_IMAGE_NAME }}" subject-digest: ${{ steps.docker-push.outputs.digest }} From 9cb4f407fd74507bd009f3f2bece956c400efd4a Mon Sep 17 00:00:00 2001 From: "fr4nc1sc0.r4m0n" Date: Mon, 1 Sep 2025 19:14:10 +0200 Subject: [PATCH 2/2] Start using major version for trusted action attest-build-provenance --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c4d10f7f4..9d7617267 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: - uses: actions/checkout@v5 - uses: ./.github/actions/build-distribution - name: generate build provenance - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + uses: actions/attest-build-provenance@v3 with: subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip" @@ -43,7 +43,7 @@ jobs: - uses: actions/checkout@v5 - uses: ./.github/actions/packages - name: generate build provenance - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + uses: actions/attest-build-provenance@v3 with: subject-path: "${{ github.workspace }}/dist/*" @@ -160,7 +160,7 @@ jobs: AGENT_DIR=./build/dist/package/python - name: generate build provenance (containers) - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 + uses: actions/attest-build-provenance@v3 with: subject-name: "${{ env.DOCKER_IMAGE_NAME }}" subject-digest: ${{ steps.docker-push.outputs.digest }}