chore(deps): bump zircote/.github/.github/workflows/sign-and-attest.yml from 740cb8efb57af0187f88e9b4f939355b871a5895 to aa00b2f09e8e42bd88cd002b441fcd6c46ecaff8

[dependabot]

Bumps zircote/.github/.github/workflows/sign-and-attest.yml from 740cb8efb57af0187f88e9b4f939355b871a5895 to aa00b2f09e8e42bd88cd002b441fcd6c46ecaff8.

Changelog

Sourced from zircote/.github/.github/workflows/sign-and-attest.yml's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

• Attested delivery architecture — nine centralized reusable workflows constituted from HMH-ProdOps/.github@8f3b4d41a9aeedb430bd575020170ce0641dbd95 and parameterized for zircote: build-attest.yml, sign-and-attest.yml (SLSA Build L3 signing boundary), verify-attestation.yml (fail-closed gate), promote.yml, promote-prod.yml, sbom-and-scan.yml, dora-emit.yml, pin-check.yml, mirror-images.yml
• SECURITY.md "Verifying Release Artifacts" section with the full workstation verification command set (gh attestation verify --signer-workflow, cosign verify, SBOM/vuln attestation checks)
• pin-check CI gate (pin-check-ci.yml): every PR asserts all uses: references in .github/workflows/ and actions/ are pinned to full 40-char SHAs, calling the central pin-check.yml by SHA-pinned cross-repo reference
• Attested-delivery documentation (docs/, Diátaxis): tutorial (first attested release), how-to guides (onboarding, SHA-pin enforcement, SBOM/vuln scan, DORA metrics, admission enforcement), full workflow reference (inputs/outputs/secrets/permissions, verified against the workflow files), design explanation, and rollout status with acceptance tests; README and CLAUDE.md now present the architecture with links into docs/
• Stale Health Check workflow (stale-health-check.md): weekly scan for stale issues (>30d), abandoned PRs (>7d), failing CI, and README staleness across all zircote repos (tracker: stlhlt01)
• Dependency Ecosystem workflow (dependency-ecosystem.md): weekly cross-repo dependency intelligence — Dependabot PR audit, version consistency, coverage gaps, and health scoring (tracker: depeco01)
• Agent Health Monitor workflow (agent-health-monitor.md): daily meta-monitoring of all gh-aw workflows for consecutive failures, missed schedules, and timeouts (tracker: agenthm01)
• Generic compile script (scripts/compile-gh-aw.sh): parameterized compile + patch for any gh-aw workflow, replacing hardcoded org-monitor references
• Three new automation labels: stale-health, dep-ecosystem, agent-health

Fixed

• Profile README automation silently broken: update-profile-readme.yml pushed directly to the protected main branch, was rejected (GH006), and the retry loop swallowed the failure — runs reported success while the profile went stale since 2026-03. Now opens an auto-merge PR via the GitHub App token and fails loudly
• README examples called nonexistent workflow inputs (run-tests, run-race-detector, scan-secrets/scan-dependencies on reusable-security, generate-changelog, composite-action cache/version/output-file) — all examples regenerated from the actual workflow_call/action inputs
• Documentation taught unpinned @main/@v4 action refs contradicting the org SHA-pinning policy — all positive examples in README, skills, agents, and presentation docs now pin to full commit SHAs
• Broken markdown fence nesting (3-backtick templates containing 3-backtick code blocks) in copilot-tuner, ecosystem-migrator, ai-tuning, ecosystem-migration, presentation-generation, and presentations README — outer fences now use 4 backticks; this also fixes the phantom broken assets/diagram.png image link
• .github/copilot-instructions.md referenced nonexistent reusable-ci-rust.yml; agents/skills referenced nonexistent scripts/validate-sha-pinning.sh/validate-workflows.sh (replaced with actionlint + pin grep)
• profile/README.md ccpkg link pointed at renamed zircote/plugin-packaging (now zircote/ccpkg); example presentation author corrected to Robert Allen
• CONTRIBUTING.md development setup replaced generic boilerplate with this repo's real toolchain (actionlint, compile-gh-aw.sh, pin-check)
• README links to private template repos now marked private instead of 404ing for visitors; added LICENSE file (MIT) to back the README license claim; ~40 unlabeled code fences given language tags
• attested-delivery skill brought into skill-doc compliance (Purpose/Triggers/Usage sections, allowed-tools frontmatter, trigger-phrase description); profile-maintainer agent aligned to the shared agent structure
• dependabot-automerge.yml called the reusable auto-merge workflow at the mutable @main ref; now uses the local-path form (same-commit, exempt from pin-check)
• attested-delivery skill templates: dora-emit.yml left hmh.dora.* metric names unparameterized (now __org__.dora.*); build-attest.yml/sign-and-attest.yml example image carried a dqo/app path (now ghcr.io/__org__/app)
• promote-prod.yml and mirror-images.yml regenerated from the generic templates — removes HMH-specific "CCAB" terminology (now "change-record") and repo-specific comments

Changed

• promote-prod.yml change-record gate reframed to GitHub-native: the gate now requires an open GitHub issue carrying an approval label (default change-approved) whose body records the exact digest being promoted (always asserted), with an optional GitHub Projects v2 Status assertion via project-number/approved-status. Replaces the JIRA inputs (jira-issue-key, jira-digest-field) and JIRA_* secrets with change-issue/change-repo/approval-label/project-number/approved-status and an optional CHANGE_RECORD_TOKEN. Skill template, docs, and references updated to match
• Addressed Copilot review feedback from #442 that was bypassed: fixed the onboarding guide's verify-job example to match the build-attest path, documented why sbom-and-scan.yml callers must grant packages: write, and removed the accidentally committed docs/presentations/.subcog/audit.log (now gitignored via **/.subcog/)
• scripts/compile-org-monitor.sh is now a thin wrapper delegating to compile-gh-aw.sh
• CLAUDE.md updated with workflow table (names, tracker IDs, schedules), generic compile instructions, and compile-all loop command
• Removed invalid discussions: false frontmatter rule from CLAUDE.md (not a valid gh-aw compiler property)

[0.2.0] - 2025-01-20

Added

• Organization-wide repository monitor gh-aw workflow (org-monitor.md, tracker: orgmon01)
• GitHub App integration (zircote-org-monitor) for cross-repo MCP access
• Compile + patch script for .github repo runtime-import bug workaround (gh-aw#18711)
• gh-aw workflow conventions documented in CLAUDE.md

Fixed

... (truncated)

Commits

• aa00b2f ci: bump pnpm/action-setup from 6.0.0 to 6.0.9 (#471)
• f8957cd ci: bump actions/checkout from 6.0.2 to 7.0.0 (#474)
• 634c38f ci: bump github/codeql-action/init from 4.34.1 to 4.36.2 (#484)
• 5ca0b03 ci: bump github/codeql-action/upload-sarif from 4.34.1 to 4.36.2 (#483)
• c76d196 ci: bump aws-actions/configure-aws-credentials from 6.2.0 to 6.2.1 (#481)
• 00b8bc6 ci: bump actions/attest-build-provenance from 4.1.0 to 4.1.1 (#482)
• 0658904 ci: bump actions/cache/save from 5.0.5 to 6.1.0 (#479)
• 261486f ci: bump zircote/.github/.github/workflows/pin-check.yml from e3010b176bbb1d0...
• 03b5fb6 docs(profile): update activity highlights (#477)
• 7566717 ci: bump github/gh-aw from 0.79.9 to 0.80.5 (#476)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.