From d38fce4cb82944b87f9899fac11c8511dcdf143e Mon Sep 17 00:00:00 2001
From: obsidian-ai <obsidian-ai@s8n.ru>
Date: Wed, 6 May 2026 13:57:49 +0100
Subject: [PATCH] ci: pin sbom/cosign/attest actions to node20-safe versions

forgejo-runner v6.4.0 ships node20; floating tags @v0/@v3/@v2 now
resolve to actions whose runs.using=node24, which the runner cannot
exec. Pin to last node20-shipping release of each:

- anchore/sbom-action@v0.17.2
- sigstore/cosign-installer@v3.7.0
- actions/attest-build-provenance@v2.2.3
---
 .github/workflows/build-iso.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml
index e45c81a..3704b64 100644
--- a/.github/workflows/build-iso.yml
+++ b/.github/workflows/build-iso.yml
@@ -210,7 +210,8 @@ jobs:
 
       - name: Install cosign
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: sigstore/cosign-installer@v3
+        # Pinned to last v3 release confirmed node20.
+        uses: sigstore/cosign-installer@v3.7.0
 
       - name: Sign ISO parts (keyless)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
@@ -224,7 +225,8 @@ jobs:
 
       - name: Generate SBOM (SPDX)
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: anchore/sbom-action@v0
+        # Pinned to last v0.17 release that ships node20.
+        uses: anchore/sbom-action@v0.17.2
         with:
           path: build/out
           format: spdx-json
@@ -232,7 +234,8 @@ jobs:
 
       - name: Build provenance attestation
         if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-        uses: actions/attest-build-provenance@v2
+        # Pinned to last v2.2 release that ships node20.
+        uses: actions/attest-build-provenance@v2.2.3
         with:
           subject-path: 'build/out/*.iso.part-*'