Description
We’ve identified an inconsistency between the commit referenced in the attestation metadata and the actual commit associated with the released version (tag) for the following packages:
pkg:pypi/imageio@2.37.2pkg:pypi/cmdstanpy@1.3.0
Specifically, the commit recorded in the attestation does not match:
- the final commit in the repository history for the release, nor
- the commit pointed to by the corresponding version tag
Expected Behavior
Macaron should report the release tag commit and report mismatch in attestation.
Actual Behavior
- Attestation commit → different
- Release tag commit → different
- Final repository state → aligned with tag, not attestation
Description
We’ve identified an inconsistency between the commit referenced in the attestation metadata and the actual commit associated with the released version (tag) for the following packages:
pkg:pypi/imageio@2.37.2pkg:pypi/cmdstanpy@1.3.0Specifically, the commit recorded in the attestation does not match:
Expected Behavior
Macaron should report the release tag commit and report mismatch in attestation.
Actual Behavior