From ea1ec90965ff972aea99dafe068aaf41986ccd29 Mon Sep 17 00:00:00 2001
From: Niek Palm <niek.palm@philips.com>
Date: Mon, 23 Jun 2025 12:00:53 +0200
Subject: [PATCH 1/2] chore(ci): Add intoto bnndle intoto bundle to the release

---
 .github/workflows/release.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5d4b20ab7a..b40669ecdc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -85,9 +85,12 @@ jobs:
           # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore
           # OpenSSF expects the attestation bundle to be named in this format (*.sigstore)
           SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore
+          INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.json
           mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE
           if [ -z "$SIGSTORE_BUNDLE" ]; then
             echo "No attestation bundle found, skipping attachment."
             exit 0
           fi
           gh release upload $TAG_NAME "$SIGSTORE_BUNDLE"
+          cat ${SIGSTORE_BUNDLE} | jq -r '.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq .> ${INTOTO_BUNDLE}
+          gh release upload $TAG_NAME "${INTOTO_BUNDLE}"

From 4cc1b9fbc6b57aae5d128d582a658b6c2e7acb75 Mon Sep 17 00:00:00 2001
From: Niek Palm <npalm@users.noreply.github.com>
Date: Mon, 23 Jun 2025 12:53:28 +0200
Subject: [PATCH 2/2] Update .github/workflows/release.yml

Co-authored-by: Ron <45816308+rjaegers@users.noreply.github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b40669ecdc..d70f0a60a7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -85,7 +85,7 @@ jobs:
           # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore
           # OpenSSF expects the attestation bundle to be named in this format (*.sigstore)
           SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore
-          INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.json
+          INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.jsonl
           mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE
           if [ -z "$SIGSTORE_BUNDLE" ]; then
             echo "No attestation bundle found, skipping attachment."