From d0e6b76a54e91dff8d908a6dc09632fdc62b2454 Mon Sep 17 00:00:00 2001
From: Taylor Ludwig <taylorludwig@gmail.com>
Date: Thu, 21 Aug 2025 13:15:08 -0700
Subject: [PATCH 1/2] cant get digest or build provenance for containers when
 snapshot builds dont publish to registry

---
 .github/workflows/go-build-release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/go-build-release.yml b/.github/workflows/go-build-release.yml
index f487f9b..23a2657 100644
--- a/.github/workflows/go-build-release.yml
+++ b/.github/workflows/go-build-release.yml
@@ -137,6 +137,7 @@ jobs:
 
       - name: Process GoReleaser output
         id: process_goreleaser_output
+        if: ${{ !contains(steps.snapshot_flags.outputs.flags, '--snapshot') }}
         run: |
           echo "const fs = require('fs');" > process.js
           echo 'const artifacts = ${{ steps.goreleaser.outputs.artifacts }}' >> process.js
@@ -152,7 +153,7 @@ jobs:
           subject-path: ${{ inputs.attestation-binary-path }}
 
       - name: Generate build provenance for container
-        if: ${{ steps.process_goreleaser_output.outputs.digest != '' && steps.process_goreleaser_output.outputs.digest != 'undefined' }}
+        if: ${{ !contains(steps.snapshot_flags.outputs.flags, '--snapshot') && steps.process_goreleaser_output.outputs.digest != '' && steps.process_goreleaser_output.outputs.digest != 'undefined' }}
         uses: actions/attest-build-provenance@v1
         with:
           subject-name: ${{ inputs.registry-name }}

From d977f8eb85aa8c9db655bfd4ca5a1dd01c4bb06e Mon Sep 17 00:00:00 2001
From: Taylor Ludwig <taylorludwig@gmail.com>
Date: Thu, 21 Aug 2025 13:28:36 -0700
Subject: [PATCH 2/2] update readme for new tag

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index bd2bfbd..eb05dc3 100644
--- a/README.md
+++ b/README.md
@@ -20,7 +20,7 @@ Use major version tags for stability:
 # For reusable workflows
 jobs:
   release:
-    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.1
+    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.2
 ```
 
 Pin a commit SHA internally for maximum supply‑chain safety if desired.
@@ -49,7 +49,7 @@ on:
 
 jobs:
   release:
-    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.1
+    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.2
     with:
       pre-build-commands: |
         go install github.com/swaggo/swag/cmd/swag@latest