kubewarden · viccuad · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026 · Mar 19, 2026
@@ -19,7 +19,7 @@ jobs:
       NODE_VERSION: 14
     steps:
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # until https://github.com/actions/checkout/pull/579 is released
@@ -48,7 +48,7 @@ jobs:
       - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
         # skip when releasing :latest from main, versions will not match
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: kubewarden/github-actions/check-policy-version@v4.5.16
+        uses: kubewarden/github-actions/check-policy-version@v4.6.0
         with:
           expected-version: ${{ steps.calculate-version.outputs.version }}
       - name: Setup node
@@ -71,7 +71,7 @@ jobs:
         run: |
           make e2e-tests
       - name: Release
-        uses: kubewarden/github-actions/policy-release@v4.5.16
+        uses: kubewarden/github-actions/policy-release@v4.6.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           oci-target: ${{ inputs.oci-target }}
@@ -88,4 +88,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Push artifacthub files to artifacthub branch
-        uses: kubewarden/github-actions/push-artifacthub@v4.5.16
+        uses: kubewarden/github-actions/push-artifacthub@v4.6.0
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # until https://github.com/actions/checkout/pull/579 is released
@@ -46,16 +46,16 @@ jobs:
       - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
         # skip when releasing :latest from main, versions will not match
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: kubewarden/github-actions/check-policy-version@v4.5.16
+        uses: kubewarden/github-actions/check-policy-version@v4.6.0
         with:
           expected-version: ${{ steps.calculate-version.outputs.version }}
       - name: Build and annotate policy
-        uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.16
+        uses: kubewarden/github-actions/policy-build-go-wasi@v4.6.0
       - name: Run e2e tests
         run: |
           make e2e-tests
       - name: Release
-        uses: kubewarden/github-actions/policy-release@v4.5.16
+        uses: kubewarden/github-actions/policy-release@v4.6.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           oci-target: ${{ inputs.oci-target }}
@@ -71,4 +71,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Push artifacthub files to artifacthub branch
-        uses: kubewarden/github-actions/push-artifacthub@v4.5.16
+        uses: kubewarden/github-actions/push-artifacthub@v4.6.0
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # until https://github.com/actions/checkout/pull/579 is released
@@ -46,16 +46,16 @@ jobs:
       - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
         # skip when releasing :latest from main, versions will not match
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: kubewarden/github-actions/check-policy-version@v4.5.16
+        uses: kubewarden/github-actions/check-policy-version@v4.6.0
         with:
           expected-version: ${{ steps.calculate-version.outputs.version }}
       - name: Build and annotate policy
-        uses: kubewarden/github-actions/policy-build-tinygo@v4.5.16
+        uses: kubewarden/github-actions/policy-build-tinygo@v4.6.0
       - name: Run e2e tests
         run: |
           make e2e-tests
       - name: Release
-        uses: kubewarden/github-actions/policy-release@v4.5.16
+        uses: kubewarden/github-actions/policy-release@v4.6.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           oci-target: ${{ inputs.oci-target }}
@@ -71,4 +71,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Push artifacthub files to artifacthub branch
-        uses: kubewarden/github-actions/push-artifacthub@v4.5.16
+        uses: kubewarden/github-actions/push-artifacthub@v4.6.0
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # until https://github.com/actions/checkout/pull/579 is released
@@ -64,12 +64,12 @@ jobs:
       - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
         # skip when releasing :latest from main, versions will not match
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: kubewarden/github-actions/check-policy-version@v4.5.16
+        uses: kubewarden/github-actions/check-policy-version@v4.6.0
         with:
           expected-version: ${{ steps.calculate-version.outputs.version }}
           policy-working-dir: ${{ inputs.policy-working-dir }}
       - name: Install opa
-        uses: kubewarden/github-actions/opa-installer@v4.5.16
+        uses: kubewarden/github-actions/opa-installer@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Build policy
         working-directory: ${{ inputs.policy-working-dir }}
@@ -87,7 +87,7 @@ jobs:
         run: |
           make e2e-tests
       - name: Release
-        uses: kubewarden/github-actions/policy-release@v4.5.16
+        uses: kubewarden/github-actions/policy-release@v4.6.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           oci-target: ${{ inputs.oci-target }}
@@ -105,6 +105,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Push artifacthub files to artifacthub branch
-        uses: kubewarden/github-actions/push-artifacthub@v4.5.16
+        uses: kubewarden/github-actions/push-artifacthub@v4.6.0
         with:
           policy-working-dir: ${{ inputs.policy-working-dir }}
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # until https://github.com/actions/checkout/pull/579 is released
@@ -46,16 +46,16 @@ jobs:
       - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
         # skip when releasing :latest from main, versions will not match
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: kubewarden/github-actions/check-policy-version@v4.5.16
+        uses: kubewarden/github-actions/check-policy-version@v4.6.0
         with:
           expected-version: ${{ steps.calculate-version.outputs.version }}
       - name: Build and annotate policy
-        uses: kubewarden/github-actions/policy-build-rust@v4.5.16
+        uses: kubewarden/github-actions/policy-build-rust@v4.6.0
       - name: Run e2e tests
         run: |
           make e2e-tests
       - name: Release
-        uses: kubewarden/github-actions/policy-release@v4.5.16
+        uses: kubewarden/github-actions/policy-release@v4.6.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           oci-target: ${{ inputs.oci-target }}
@@ -71,4 +71,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Push artifacthub files to artifacthub branch
-        uses: kubewarden/github-actions/push-artifacthub@v4.5.16
+        uses: kubewarden/github-actions/push-artifacthub@v4.6.0
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # until https://github.com/actions/checkout/pull/579 is released
@@ -46,7 +46,7 @@ jobs:
       - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
         # skip when releasing :latest from main, versions will not match
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: kubewarden/github-actions/check-policy-version@v4.5.16
+        uses: kubewarden/github-actions/check-policy-version@v4.6.0
         with:
           expected-version: ${{ steps.calculate-version.outputs.version }}
       - name: install wasm-strip
@@ -72,7 +72,7 @@ jobs:
         run: |
           make e2e-tests
       - name: Release
-        uses: kubewarden/github-actions/policy-release@v4.5.16
+        uses: kubewarden/github-actions/policy-release@v4.6.0
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           oci-target: ${{ inputs.oci-target }}
@@ -88,4 +88,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Push artifacthub files to artifacthub branch
-        uses: kubewarden/github-actions/push-artifacthub@v4.5.16
+        uses: kubewarden/github-actions/push-artifacthub@v4.6.0
@@ -23,11 +23,11 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - name: Build and annotate policy
         with:
           generate-sbom: false
-        uses: kubewarden/github-actions/policy-build-go-wasi@v4.5.16
+        uses: kubewarden/github-actions/policy-build-go-wasi@v4.6.0
       - name: Run e2e tests
         run: make e2e-tests
 

@@ -23,11 +23,11 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - name: Build and annotate policy
         with:
           generate-sbom: false
-        uses: kubewarden/github-actions/policy-build-tinygo@v4.5.16
+        uses: kubewarden/github-actions/policy-build-tinygo@v4.6.0
       - name: Run e2e tests
         run: make e2e-tests
 

@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install opa
-        uses: kubewarden/github-actions/opa-installer@v4.5.16
+        uses: kubewarden/github-actions/opa-installer@v4.6.0
       - name: Run unit tests
         working-directory: ${{ inputs.policy-working-dir }}
         run: make test
@@ -53,11 +53,11 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Install dependencies
-        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.5.16
+        uses: kubewarden/github-actions/policy-gh-action-dependencies@v4.6.0
       - name: Build and annotate policy
         with:
           generate-sbom: false
-        uses: kubewarden/github-actions/policy-build-rust@v4.5.16
+        uses: kubewarden/github-actions/policy-build-rust@v4.6.0
       - name: Run e2e tests
         run: |
           make e2e-tests

@@ -18,7 +18,7 @@ runs:
     - name: Install cosign
       uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
     - name: Install the crane command
-      uses: kubewarden/github-actions/crane-installer@v4.5.16
+      uses: kubewarden/github-actions/crane-installer@v4.6.0
     - name: Login to GitHub Container Registry
       uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
@@ -46,22 +46,40 @@ runs:
         | jq -r '.manifests[]
           | select(.annotations["vnd.docker.reference.type"] == "attestation-manifest")
           | .digest')
+        if [[ -z "${DIGEST}" ]]; then
+          echo "ERROR: No attestation manifest found for ${{ inputs.component }} (${{ inputs.arch }})"
+          exit 1
+        fi
         echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
     - name: Find provenance manifest digest
       shell: bash
       run: |
         set -e
         DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST }} |
                     jq -r '.layers[]
-                      | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2")
+                      | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v1")
                       | .digest')
+        if [[ -z "${DIGEST}" ]]; then
+          echo "ERROR: No SLSA provenance layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})"
+          exit 1
+        fi
         echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
     - name: Find SBOM manifest layer digest
       shell: bash
       run: |
         set -e
         DIGEST=$(crane manifest ghcr.io/${{ github.repository_owner }}/${{ inputs.component }}@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
-          jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
+          jq -r '.layers
+            | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document"))
+            | map(.digest)
+            | if length == 0 then empty
+              elif length == 1 then .[0]
+              else error("ERROR: Multiple SBOM layers found in attestation manifest")
+              end')
+        if [[ -z "${DIGEST}" ]]; then
+          echo "ERROR: No SBOM layer found in attestation manifest for ${{ inputs.component }} (${{ inputs.arch }})"
+          exit 1
+        fi
         echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
 
     # We need to upload provenance and SBOM files, plus their signatures under the GitHub Release page.

@@ -9,11 +9,11 @@ runs:
     - name: Install cosign
       uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
     - name: Install kwctl
-      uses: kubewarden/github-actions/kwctl-installer@v4.5.16
+      uses: kubewarden/github-actions/kwctl-installer@v4.6.0
     - name: Install bats
       run: sudo apt install -y bats
       shell: bash
     - name: Install SBOM generator tool
-      uses: kubewarden/github-actions/syft-installer@v4.5.16
+      uses: kubewarden/github-actions/syft-installer@v4.6.0
     - name: Install binaryen tool
-      uses: kubewarden/github-actions/binaryen-installer@v4.5.16
+      uses: kubewarden/github-actions/binaryen-installer@v4.6.0
@@ -12,7 +12,7 @@ runs:
   using: "composite"
   steps:
     - name: Install kwctl
-      uses: kubewarden/github-actions/kwctl-installer@v4.5.16
+      uses: kubewarden/github-actions/kwctl-installer@v4.6.0
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with: