From 1ef54a9bf35f37325524ed2101f4b860b9c05e38 Mon Sep 17 00:00:00 2001
From: Daniel Young <9008637+YoungDan@users.noreply.github.com>
Date: Fri, 29 May 2026 13:25:50 +0200
Subject: [PATCH] ci: bump slsa-github-generator to v2.1.0

v2.0.0 still uses the actions/artifact v3 backend, which GitHub shut down
in Jan 2025; the provenance upload-assets step fails with an empty
UNTRUSTED_PATH so no .intoto.jsonl is attached to the release. v2.1.0
migrated to artifact v4 and fixes the attachment.
---
 .github/workflows/release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0399437..fdb7cb3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -216,8 +216,10 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    # Reusable workflow pinned to slsa-github-generator v2.0.0.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
+    # Reusable workflow pinned to slsa-github-generator v2.1.0.
+    # v2.1.0 migrated to actions/artifact v4; v2.0.0 fails to attach the
+    # provenance after the artifact-v3 backend shutdown (empty UNTRUSTED_PATH).
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: ${{ needs.hashes.outputs.hashes }}
       upload-assets: true