Skip to content

build(deps): bump actions/attest-build-provenance from 1 to 4#279

Merged
mangelajo merged 1 commit intomainfrom
dependabot/github_actions/actions/attest-build-provenance-4
Apr 8, 2026
Merged

build(deps): bump actions/attest-build-provenance from 1 to 4#279
mangelajo merged 1 commit intomainfrom
dependabot/github_actions/actions/attest-build-provenance-4

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 3, 2026
edited
Loading

Bumps actions/attest-build-provenance from 1 to 4.

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.0.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v3.2.0

What's Changed

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

v3.1.0

What's Changed

New Contributors

Full Changelog: actions/attest-build-provenance@v3...v3.1.0

v3.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1 Release Notes

Make sure your runner is updated to this version or newer to use this release.

... (truncated)

Commits
  • a2bbfa2 bump actions/attest from 4.0.0 to 4.1.0 (#838)
  • 0856891 update RELEASE.md docs (#836)
  • e4d4f7c prepare v4 release (#835)
  • 02a49bd Bump github/codeql-action in the actions-minor group (#824)
  • 7c757df Bump the npm-development group with 2 updates (#825)
  • c44148e Bump github/codeql-action in the actions-minor group (#818)
  • 3234352 Bump @​types/node from 25.0.10 to 25.2.0 in the npm-development group (#819)
  • 18db129 Bump tar from 7.5.6 to 7.5.7 (#816)
  • 90fadfa Bump @​actions/core from 2.0.1 to 2.0.2 in the npm-production group (#799)
  • 57db8ba Bump the npm-development group across 1 directory with 3 updates (#808)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
build(deps): bump actions/attest-build-provenance from 1 to 4
b7e9a19 
Bumps [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) from 1 to 4.
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](actions/attest-build-provenance@v1...v4)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Mar 3, 2026
@raballew raballew enabled auto-merge (squash) April 1, 2026 06:22
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 6, 2026

Container Images

The following container images have been built for this PR:

Image URI
jumpstarter-controller quay.io/jumpstarter-dev/jumpstarter-controller:pr-279
jumpstarter-operator quay.io/jumpstarter-dev/jumpstarter-operator:pr-279
jumpstarter-operator-bundle quay.io/jumpstarter-dev/jumpstarter-operator-bundle:pr-279
jumpstarter quay.io/jumpstarter-dev/jumpstarter:pr-279
jumpstarter-utils quay.io/jumpstarter-dev/jumpstarter-utils:pr-279
jumpstarter-dev quay.io/jumpstarter-dev/jumpstarter-dev:pr-279
jumpstarter-devspace quay.io/jumpstarter-dev/jumpstarter-devspace:pr-279

Images expire after 7 days.

@ambient-code
Copy link
Copy Markdown
Contributor

ambient-code bot commented Apr 7, 2026

CI Status

All CI checks pass. This PR changes .github/workflows/build-images.yaml (bumping actions/attest-build-provenance from v1 to v4).

This is a straightforward GitHub Actions dependency bump. No code changes, no Go/Python impact. No merge conflicts despite being open since March. Safe to merge.

Note: this is a 3-major-version jump (v1 → v4), but actions/attest-build-provenance has maintained backward compatibility in its API. The main changes are Node.js runtime updates and attestation format improvements.

@ambient-code
Copy link
Copy Markdown
Contributor

ambient-code bot commented Apr 7, 2026

Automated Dependabot PR Review

Checks performed:

1. go.mod completeness: N/A — GitHub Actions dependency, no go.mod changes.

2. CI status: ✅ All relevant checks passed. Build images were built and pushed successfully.

3. K8s version check: N/A — not a k8s dependency.

4. Workflow completeness check:actions/attest-build-provenance is only used in build-images.yaml — the sole file this PR modifies. No other workflow files need updating.

5. Library assessment: This is a major version bump (v1 → v4):

  • v2: Added show-summary input, GHES 3.14+ support
  • v3: Node.js 24 runtime, improved checksum parsing (requires Runner >= 2.327.1)
  • v4: Now a thin wrapper on actions/attest — existing usage continues to work, but new implementations should use actions/attest directly

The action interface is backward-compatible. Note: this PR has been open for over 30 days; a rebase may be needed before merging.

Safe to merge. Recommended to merge (consider @dependabot rebase first).

@ambient-code
Copy link
Copy Markdown
Contributor

ambient-code bot commented Apr 7, 2026

@dependabot rebase

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 7, 2026

Sorry, only users with push access can use that command.

@mangelajo mangelajo disabled auto-merge April 8, 2026 14:00
@mangelajo mangelajo merged commit 9bfcdb5 into main Apr 8, 2026
52 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/actions/attest-build-provenance-4 branch April 8, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raballew raballew raballew approved these changes

Assignees

No one assigned

Labels

already-checked build-pr-images dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@raballew @mangelajo