From 60365ef47e241c9699cc80402015958c12a4ee66 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Mon, 18 May 2026 22:12:09 +0200 Subject: [PATCH] fix(ci): revert SLSA reusable workflow to tag pin Renovate PR #284 re-pinned the SLSA generator to a SHA digest, breaking provenance generation on the v0.37.0 release. The SLSA generator's generate-builder.sh rejects non-tag refs. This is the same fix as #250. A Renovate exclusion rule has been added to archgate/renovate-config (PR #10) to prevent recurrence. Ref: slsa-framework/slsa-github-generator#150 Signed-off-by: Rhuan Barreto --- .github/workflows/release-binaries.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index e229f253..e8052ad8 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -166,7 +166,7 @@ jobs: # generate-builder.sh extracts the version from the ref to download the builder # binary from a GitHub release and rejects non-tag refs. See CI-001 exception # and slsa-framework/slsa-github-generator#150. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: "${{ needs.combine-hashes.outputs.digests }}" upload-assets: true