Does not work with immutable releases

[jonahbeckford]

Problem

The GH attestation is tied to a git tag, but the git tag is typically mutable. That makes the attestation unsound.

But if we follow the GH recommendation to use immutable releases (https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases) so that the git tag is immutable, we can't add anything to the release after the attestation.

(This is part of a bigger review at https://github.com/diskuv/dk/blob/V2_4/docs/posts/2025-10-24-overview-ci-attestations.md)

Details

Example in https://github.com/diskuv/dk/blob/79259e4f0768ba4f55179d443433c673a44804e4/.github/workflows/distribute-2.4.yml#L47-L53:

            - name: Generate artifact attestation
              id: attest
              uses: actions/attest-build-provenance@v3
              with: { subject-path: dk-dist/* }
            - name: Release ${{ github.workflow }}
              uses: softprops/action-gh-release@f38efdea4c5ffe13e9424b0aa2833bee28f1e34c # v2. Oct. 6, 2025
              with: { files: dk-dist/* }

The actions/attest-build-provenance@v3 step will create the release (ex. https://github.com/diskuv/dk/releases/tag/2.4.202510250000).

But then the next step softprops/action-gh-release@... can't update the release with the artifacts.

It fails with:

Error: Cannot upload assets to an immutable release. - https://docs.github.com/rest

Possible Solution

Let us specify extra files that get added to the release in actions/attest-build-provenance@v3. That way we can atomically create the release with the artifacts we want and the attestation (in one step).