The alternative at the moment is for users to override the asset name the file is uploaded with to the release.
I can start a PR if y'all like the idea. If we make it configurable, we'd probably want to follow up with a corresponding PR in actions/attest-build-provenance.
This would make it slightly easier for projects to comply with OSSF's Scorecard: https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#signed-releases.
The alternative at the moment is for users to override the asset name the file is uploaded with to the release.
I can start a PR if y'all like the idea. If we make it configurable, we'd probably want to follow up with a corresponding PR in actions/attest-build-provenance.