fix(release): promote project version after attestation push

[jiparis]

Summary

• Move the "Promote Chainloop Project Version" step from the release job to the finish_attestation job so it runs after chainloop attestation push, not before
• Pass the current project version as a job output from release to finish_attestation
• Remove the attestation phase tag from the failing contract

Closes #2805

[kusari-inspector]

Kusari Analysis Results:

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

No pinned version dependency changes, code issues or exposed secrets detected!

Note

View full detailed analysis result for more information on the output and the checks that were run.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: c2cc912, performed at: 2026-03-02T16:37:44Z

Found this helpful? Give it a 👍 or 👎 reaction!

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/release.yaml">

<violation number="1" location=".github/workflows/release.yaml:231">
P2: Potential script injection: `${{ needs.release.outputs.current_version }}` is interpolated directly in a `run:` block. GitHub's security hardening guide recommends passing expressions through `env:` to prevent injection if the value contains shell metacharacters.

Use an intermediate environment variable instead of direct interpolation.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[kusari-inspector]

Kusari PR Analysis rerun based on - c2cc912 performed at: 2026-03-02T16:37:44Z - link to updated analysis