github-actions: bump actions/attest-build-provenance from 2 to 4.1.0#609
Conversation
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 2 to 4.1.0. - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@v2...v4.1.0) --- updated-dependencies: - dependency-name: actions/attest-build-provenance dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
bgentry
left a comment
There was a problem hiding this comment.
🤖 Codex review: Security review looks good to me.
I reviewed this as a dependency-upgrade supply-chain/security pass for the actions/attest-build-provenance update at head 1402a56854e65349f41ea9da307467df43c4ff31.
Scope reviewed:
- Workflow changes in
docker-riverproui.yamlanddocker-riverui.yaml. - Upstream action trust and behavior change from
actions/attest-build-provenance@v2to@v4.1.0. - Security-relevant action metadata changes, including runtime, delegation to
actions/attest, new predicate/storage inputs, permissions, registry push behavior, and credential exposure paths. - CI status, with the known Dependabot
riverprouiimage-publish/OIDC failure treated separately from dependency safety.
No blocking supply-chain issue found. The action remains in the official actions GitHub org, the workflow references remain in the same action repository, and this PR does not add permissions, secrets, registries, or new workflow steps.
The notable upstream action change is that the composite action now delegates to actions/attest and includes newer predicate/storage options. The existing workflows already use attestation permissions where needed. For the riverui workflow, push-to-registry: true may now also create GitHub storage records by default; that is expected for the newer official action behavior and did not expand the workflow's credential surface.
The remaining failed riverproui image checks are consistent with the known Dependabot OIDC/publish limitation, while the ordinary JS/Go checks and riverui image jobs passed.
Bumps actions/attest-build-provenance from 2 to 4.1.0.
Release notes
Sourced from actions/attest-build-provenance's releases.
... (truncated)
Commits
a2bbfa2bump actions/attest from 4.0.0 to 4.1.0 (#838)0856891update RELEASE.md docs (#836)e4d4f7cprepare v4 release (#835)02a49bdBump github/codeql-action in the actions-minor group (#824)7c757dfBump the npm-development group with 2 updates (#825)c44148eBump github/codeql-action in the actions-minor group (#818)3234352Bump@types/nodefrom 25.0.10 to 25.2.0 in the npm-development group (#819)18db129Bump tar from 7.5.6 to 7.5.7 (#816)90fadfaBump@actions/corefrom 2.0.1 to 2.0.2 in the npm-production group (#799)57db8baBump the npm-development group across 1 directory with 3 updates (#808)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)