fix(publish): Replace unwrap() calls with error handling in provenance generation

[Copilot]

• Identify all unwrap() calls in provenance.rs that can panic
• Replace unwrap() at line 346 (transparency_logs.iter().next()) with proper error handling
• Replace unwrap() at line 169 (rel_ref.find('@')) with proper error handling
• Replace unwrap() calls for environment variables with better error messages
• Update test to use proper GITHUB_WORKFLOW_REF format
• Address code review feedback - replace unwrap_or_default() with proper error handling
• Run code review - No issues found
• Run CodeQL security check - No vulnerabilities found
• Run rustfmt to fix formatting issues

Summary

Fixed panic in deno publish when running in CI containers by replacing all unwrap() calls in the provenance generation code with proper error handling. The changes ensure clear, actionable error messages are shown instead of panics.

Key changes:

1. Line 359-362: Replaced transparency_logs.iter().next().unwrap() with ok_or_else() to provide clear error when Rekor returns no log entries
2. Line 169-174: Replaced rel_ref.find('@').unwrap() with ok_or_else() to show which GITHUB_WORKFLOW_REF value is invalid
3. Lines 163-190: Replaced all environment variable unwrap() calls with map_err() to show exactly which env var is missing
4. Changed return types: Updated Predicate::new_github_actions() and ProvenanceAttestation::new_github_actions() to return Result<T, AnyError> to properly propagate errors
5. Formatting: Applied rustfmt to ensure code follows project style guidelines

All code review and security checks passed with no issues.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Able to publish deno package locally but not from CI container</issue_title>
<issue_description>Deno v2.3.7 on x86_64-unknown-linux-gnu.

A panic occurred in Deno.

stack backtrace:

• deno::setup_panic_hook::{{closure}}
• std::panicking::rust_panic_with_hook
• std::panicking::begin_panic_handler::{{closure}}
• std::sys::backtrace::__rust_end_short_backtrace
• rust_begin_unwind
• core::panicking::panic_fmt
• core::panicking::panic
• core::option::unwrap_failed
• deno::tools::publish::provenance::generate_provenance::{{closure}}
• deno::tools::publish::publish_package::{{closure}}
• deno::tools::publish::perform_publish::{{closure}}::{{closure}}
• deno::tools::publish::perform_publish::{{closure}}
• deno::tools::publish::publish::{{closure}}
• deno::spawn_subcommand::{{closure}}
• tokio::runtime::task::raw::poll
• deno::main
• std::sys::backtrace::__rust_begin_short_backtrace
• main
• _start

_{View trace: here}

I was running the publish command on a forgejo runner in this container: code.forgejo.org/oci/node:20-bookworm</issue_description>

<agent_instructions>There is a panic caused by an unwrap somewhere in publish_provanance method. Remove unwraps and replace it will clear error messages.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Able to publish deno package locally but not from CI container #31870

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

All committers have signed the CLA.

[bartlomieju]

@copilot please run tools/format.js to ensure linting step passes correctly

[Copilot]

@copilot please run tools/format.js to ensure linting step passes correctly

Done. Applied rustfmt formatting in commit e585c4d.