Summary

The provenance attestation is being generated in the CI workflow (see lines 320-325), but is not currently passed on or used in the publishing call (see publish.sh).

Details

• Attestation Generation:
  The workflow creates a provenance attestation artifact, but the artifact is not propagated to the publish step or included in the plugin publishing process.
• Missing Usage:
  The publishing script (publish.sh) does not currently accept or use the attestation file, so the produced artifact is not uploaded or referenced during publishing.
• Reference Implementation:
  See plugin-uploader reference for how attestation can be included in the publish process.

Suggested Action

Update the publishing step to accept and use the provenance attestation, following the example in the plugin-uploader reference. This will ensure the provenance data is published alongside the plugin artifact.