Pass hashes when attesting OSV report

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

Author: puerco

.github/workflows/release.yaml

@@ -161,10 +161,22 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          vexflow assemble --repo=carabiner-dev/demo-repo --triage-repo=carabiner-dev/.vexflow-demo-repo  > attestations/main.openvex.json
-          bnd predicate attestations/main.openvex.json --subject="sha1:${{ github.sha }}" --out attestations/openvex.bundle.json --type="https://openvex.dev/ns/v0.2.0"        
+          vexflow assemble \
+            --repo=carabiner-dev/demo-repo \
+            --triage-repo=carabiner-dev/.vexflow-demo-repo  > attestations/main.openvex.json
+          
+          bnd predicate attestations/main.openvex.json \
+            --subject="sha1:${{ github.sha }}" \
+            --subject="gitCommit:${{ github.sha }}" \
+            --out attestations/openvex.bundle.json \
+            --type="https://openvex.dev/ns/v0.2.0"        
+          
+          bnd predicate attestations/osv-results.json \
+            --subject="sha1:${{ github.sha }}" \
+            --subject="gitCommit:${{ github.sha }}" \
+            --out attestations/osv-results.bundle.json \
+            --type="https://ossf.github.io/osv-schema/[email protected]"        
           
-          bnd predicate attestations/osv-results.json --out attestations/osv-results.bundle.json --type="https://ossf.github.io/osv-schema/[email protected]"        
           rm -f attestations/osv-results.json attestations/main.openvex.json
 
       - name: Pack Attestations