ci: Change to attest action and fix SBOM generator path

[askpt]

This PR

This pull request updates the GitHub Actions workflow to use the latest attestation action and improves the accuracy of artifact attestation paths. The main changes focus on upgrading from deprecated actions to their newer consolidated versions and refining path specifications for attestation.

GitHub Actions upgrades:

• Switched from actions/attest-sbom and actions/attest-build-provenance to the unified actions/attest@v4.1.0 action in both .github/actions/sbom-generator/action.yml and .github/workflows/release.yml, ensuring future compatibility and access to new features. [1] [2]

Attestation path improvements:

• Updated the subject-path for SBOM attestation to target the correct package directory: now uses src/${{ inputs.project-name }}/**/${{ inputs.project-name }}.*.nupkg instead of a broad glob, reducing the risk of incorrect matches.
• Clarified workflow comments to reference the new actions/attest action for attestation permissions, improving documentation and maintainability.

Related Issues

Fixes #712

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the reliability and accuracy of the continuous integration pipeline by updating the attestation process. It transitions to a more current and consolidated GitHub Action for software bill of materials (SBOM) generation and attestation, alongside improving the precision of artifact path identification. These changes aim to streamline the workflow and bolster supply chain security practices.

Highlights

• GitHub Actions Upgrade: The actions/attest-sbom action has been upgraded to the unified actions/attest@v4.1.0 action, ensuring compatibility and access to new features for attestation.
• Attestation Path Improvement: The subject-path for SBOM attestation has been refined to src/${{ inputs.project-name }}/**/${{ inputs.project-name }}.*.nupkg, providing a more precise target for package directories and reducing the risk of incorrect matches.

Changelog

• .github/actions/sbom-generator/action.yml
  • Updated the uses declaration for the attestation action from actions/attest-sbom@v3.0.0 to actions/attest@v4.1.0.
  • Modified the subject-path for SBOM attestation to be more specific, targeting src/${{ inputs.project-name }}/**/${{ inputs.project-name }}.*.nupkg.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/release.yml

Activity

• No activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.45%. Comparing base (3fce05b) to head (15a618f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #713   +/-   ##
=======================================
  Coverage   93.45%   93.45%           
=======================================
  Files          68       68           
  Lines        2951     2951           
  Branches      350      350           
=======================================
  Hits         2758     2758           
  Misses        135      135           
  Partials       58       58           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request updates the GitHub Actions workflow to use a newer attestation action and refines the artifact path for SBOM generation. While no security vulnerabilities were identified in the modified code, a critical issue was found with the action reference: the commit hash used for actions/attest is incorrect and belongs to a different, deprecated action, which will cause the CI workflow to fail. A specific suggestion has been provided to correct this.