fix: correct subject-digest format for attest-build-provenance

[ravshansbox]

Problem

The GitHub Actions workflow fails for all release builds in v10.4.0 at the "Attest artifact" step due to an invalid digest format.

The workflow uses:

subject-digest: sha256::${{ steps.upload-tarball.artifact-digest }}

This produces a double colon (sha256::...) which is invalid. The correct format is:

subject-digest: sha256:${{ steps.upload-tarball.artifact-digest }}

Impact

All release builds fail at the attestation step, preventing the creation and publishing of release artifacts (tarballs, .deb packages, etc.) for all platforms.

Root Cause

The bug was introduced in PR #1901 which bumped actions/attest-build-provenance from v3 to v4. The new attestation steps were accidentally written with a double colon instead of a single colon after the sha256 prefix.

Fix

This change corrects the digest format in both attestation steps.

Fixes #1909

Related

• PR build(deps): bump actions/attest-build-provenance from 3 to 4 #1901 (dependabot bump)
• CI run: https://github.com/sharkdp/fd/actions/runs/22794348628

[tmccombs]

This isn't enough to fix it. See #1904, which this is kind of a duplicate of