Problem
The slsa-provenance job in .github/workflows/release.yml (slsa-framework/slsa-github-generator generator_generic_slsa3.yml@v2.1.0) started failing on every release: GitHub now forces Node20 actions onto Node24 runners, and v2.1.0's internal actions break under Node24 ("Input required and not supplied: path", exit 127). v2.1.0 is the latest release — there is nothing newer to bump to, and continue-on-error is not allowed on reusable-workflow jobs.
Confirmed: the job passed on v0.76.0 and failed on v0.77.0 (release itself succeeded — binaries, GHCR docker images, cosign sigs, SBOMs all published).
Interim (done)
Disabled the job via if: ${{ vars.ENABLE_SLSA_PROVENANCE == 'true' }} (unset = skipped). The release retains GitHub-native build-provenance attestation (the goreleaser job's actions/attest-build-provenance step), verifiable with gh attestation verify — so provenance is still attested, just not the SLSA-framework .intoto.jsonl.
To re-enable
When slsa-github-generator ships a Node24-compatible release:
- Bump the
uses: pin (SHA + version) in release.yml.
- Set repo variable
ENABLE_SLSA_PROVENANCE=true.
Refs: v0.77.0 release run, https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Problem
The
slsa-provenancejob in.github/workflows/release.yml(slsa-framework/slsa-github-generatorgenerator_generic_slsa3.yml@v2.1.0) started failing on every release: GitHub now forces Node20 actions onto Node24 runners, and v2.1.0's internal actions break under Node24 ("Input required and not supplied: path", exit 127). v2.1.0 is the latest release — there is nothing newer to bump to, andcontinue-on-erroris not allowed on reusable-workflow jobs.Confirmed: the job passed on v0.76.0 and failed on v0.77.0 (release itself succeeded — binaries, GHCR docker images, cosign sigs, SBOMs all published).
Interim (done)
Disabled the job via
if: ${{ vars.ENABLE_SLSA_PROVENANCE == 'true' }}(unset = skipped). The release retains GitHub-native build-provenance attestation (the goreleaser job'sactions/attest-build-provenancestep), verifiable withgh attestation verify— so provenance is still attested, just not the SLSA-framework.intoto.jsonl.To re-enable
When slsa-github-generator ships a Node24-compatible release:
uses:pin (SHA + version) inrelease.yml.ENABLE_SLSA_PROVENANCE=true.Refs: v0.77.0 release run, https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/