Rename source to dfetch-source

Author: spoorcc

.github/workflows/build.yml

@@ -118,7 +118,7 @@ jobs:
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh attestation verify source.tar.gz \
+          gh attestation verify dfetch-source.tar.gz \
             --repo "${{ github.repository }}" \
             --predicate-type https://slsa.dev/provenance/v1 \
             --cert-identity-regex "^https://github\.com/${{ github.repository }}/\.github/workflows/source-provenance\.yml@refs/(heads/main|tags/[0-9]+\.[0-9]+\.[0-9]+)$" \

.github/workflows/source-provenance.yml

@@ -38,18 +38,18 @@ jobs:
           persist-credentials: false
 
       - name: Generate source archive
-        run: git archive HEAD --format=tar.gz -o source.tar.gz
+        run: git archive HEAD --format=tar.gz -o dfetch-source.tar.gz
 
       - name: Attest source provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
-          subject-path: source.tar.gz
+          subject-path: dfetch-source.tar.gz
 
       - name: Verify source provenance
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh attestation verify source.tar.gz \
+          gh attestation verify dfetch-source.tar.gz \
             --repo "${{ github.repository }}" \
             --predicate-type https://slsa.dev/provenance/v1 \
             --cert-identity-regex "^https://github\.com/${{ github.repository }}/\.github/workflows/source-provenance\.yml@refs/(heads/main|tags/[0-9]+\.[0-9]+\.[0-9]+)$" \
@@ -59,4 +59,4 @@ jobs:
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: source-archive
-          path: source.tar.gz
+          path: dfetch-source.tar.gz

.github/workflows/test.yml

@@ -138,15 +138,15 @@ jobs:
       - name: Verify subject artifact exists
         if: steps.download-source.outcome == 'success'
         run: |
-          if [ ! -f source.tar.gz ]; then
-            echo "Error: source.tar.gz not found after artifact download" >&2
+          if [ ! -f dfetch-source.tar.gz ]; then
+            echo "Error: dfetch-source.tar.gz not found after artifact download" >&2
             exit 1
           fi
 
       - name: Attest test results
         if: steps.download-source.outcome == 'success'
         uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
         with:
-          subject-path: source.tar.gz
+          subject-path: dfetch-source.tar.gz
           predicate-type: https://in-toto.io/attestation/test-result/v0.1
           predicate-path: test-result-predicate.json

doc/howto/verify-integrity.rst

@@ -174,7 +174,7 @@ from the ``main`` branch.
 **Source archive — verify build provenance and test results:**
 
 The source archive has two attestations and is produced for every release and
-every ``main``-branch commit. Download ``source.tar.gz`` from the *Artifacts*
+every ``main``-branch commit. Download ``dfetch-source.tar.gz`` from the *Artifacts*
 section of the relevant CI run, then verify each in turn. Use
 ``@refs/tags/v<version>`` for a release or ``@refs/heads/main`` for a
 development build.
@@ -184,7 +184,7 @@ workflow from the tagged commit):
 
 .. code-block:: bash
 
-    $ gh attestation verify source.tar.gz \
+    $ gh attestation verify dfetch-source.tar.gz \
         --repo dfetch-org/dfetch \
         --predicate-type https://slsa.dev/provenance/v1 \
         --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/source-provenance.yml@refs/tags/v<version> \
@@ -195,7 +195,7 @@ any binary was produced):
 
 .. code-block:: bash
 
-    $ gh attestation verify source.tar.gz \
+    $ gh attestation verify dfetch-source.tar.gz \
         --repo dfetch-org/dfetch \
         --predicate-type https://in-toto.io/attestation/test-result/v0.1 \
         --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/test.yml@refs/tags/v<version> \