[bug] generator_generic_slsa3.yml upload-assets creates duplicate draft release

[bradh352]

Describe the bug We are using generator_generic_slsa3.yml to generate SLSA3 for the c-ares project and just had our first release using it. We generate the release and upload the tarball using softprops/action-gh-release@v2 and mark the release as a draft. We then go through the provenance and it generates another draft of the release with the same name instead of uploading it to the existing draft with the name.

I have not attempted to allow it to use a non-draft release for both steps of the process, mainly because I must come back and PGP sign the tarball that is generated and upload that signature and want to wait to turn off the draft status until that is done. So maybe this is a draft-related issue.

To Reproduce

See workflow https://github.com/c-ares/c-ares/blob/v1.34.3/.github/workflows/package.yml

Expected behavior Expected that the generated .intoto.jsonl file be uploaded to the existing draft release.

[bradh352]

I see #1476 for go which happens to sort of discuss this issue, and points to this diff for a workaround: https://github.com/sigstore/helm-sigstore/pull/111/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R61-R90

I'll implement that workaround until this gets resolved

[bradh352]

I tried to implement the same workaround, I won't know if it works until our next release ... regardless I'd think this should be resolved within the generic generator itself. https://github.com/c-ares/c-ares/commit/75a382cc303e0f15e37575575687da9fc65528dc