Fix filename of generated slsa attestation

[netomi]

See this reference:

https://github.com/slsa-framework/slsa-github-generator/blob/v1.9.0/.github/workflows/delegator_generic_slsa3.yml#L68C53-L68C53

that was changed in this commit: https://github.com/slsa-framework/slsa-github-generator/commit/2548e763ef585810bc9befc360435325369bfc9a

With this final change my release workflow completes successfully: https://github.com/netomi/macos-notarization-service/actions/runs/7144907502

[aalmiray]

Thank you 😄

[netomi]

tyvm.

btw. I noticed that this action is not following the normal release convention for actions. The tags do not have a vx.y.z format and instead there is a v1 and v2 branch. This does not allow the action to be pinned correctly by tools like (https://github.com/TinyGearsOrg/octopin/, written by myself) or dependabot. It might be possible to support such cases as well, but following the normal convention for releases would make things easier.

Tbh I dont know if there is a clever way to support that out of the box, but most of the actions follow that convention, e.g. look at the actions/checkout at https://github.com/actions/checkout/tags

[netomi]

I found this action that seems to do just that, but there are many others:

https://github.com/marketplace/actions/actions-tagger

[netomi]

the actions/checkout repo has some workflow to do that manually for the major versions:

https://github.com/actions/checkout/blob/main/.github/workflows/update-main-version.yml

the actions-tagger action seems to do that automatically for all major version tags.

[aalmiray]

Yes, the versioning scheme for the Java builder action is different. Custom builders should be hosted at the same repository as the main action. Right now there’s just one builder (Java) bu there could be more (Rust, C#, etc), each one with its own release cycle.

This means we need different version numbers and tags. The compromise with the SLSA team was to choose the tag format we have in place.

[netomi]

ftr: I was not referring to the different versioning of the java builder and the release-action itself, but rather the convention you use for the release-action in general.

https://github.com/actions/toolkit/blob/master/docs/action-versioning.md#versioning

Its workable ofc, but still slightly different compared to the majority of other actions.

[aalmiray]

Oh? I thought I followed the convention. Can certainly add matching tags to make it happen.