From 74ac20671caa67451d65f03af15d403824c2d82e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 22 Oct 2025 15:26:36 +0000
Subject: [PATCH] Update release verify commands to use sentinel value

Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>
---
 pkg/cmd/attestation/api/mock_client.go       | 5 +++++
 pkg/cmd/release/verify-asset/verify_asset.go | 2 +-
 pkg/cmd/release/verify/verify.go             | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/cmd/attestation/api/mock_client.go b/pkg/cmd/attestation/api/mock_client.go
index 39232cdae..845f87d7a 100644
--- a/pkg/cmd/attestation/api/mock_client.go
+++ b/pkg/cmd/attestation/api/mock_client.go
@@ -41,6 +41,11 @@ func OnGetByDigestSuccess(params FetchParams) ([]*Attestation, error) {
 	att3 := makeTestReleaseAttestation()
 	attestations := []*Attestation{&att1, &att2}
 	if params.PredicateType != "" {
+		// "release" is a sentinel value that returns all release attestations (v0.1, v0.2, etc.)
+		// This mimics the GitHub API behavior which handles this server-side
+		if params.PredicateType == "release" {
+			return []*Attestation{&att3}, nil
+		}
 		if params.PredicateType == "https://in-toto.io/attestation/release/v0.1" {
 			attestations = append(attestations, &att3)
 		}
diff --git a/pkg/cmd/release/verify-asset/verify_asset.go b/pkg/cmd/release/verify-asset/verify_asset.go
index 43cdec990..acd8a134e 100644
--- a/pkg/cmd/release/verify-asset/verify_asset.go
+++ b/pkg/cmd/release/verify-asset/verify_asset.go
@@ -147,7 +147,7 @@ func verifyAssetRun(config *VerifyAssetConfig) error {
 	// Find attestations for the release tag SHA
 	attestations, err := config.AttClient.GetByDigest(api.FetchParams{
 		Digest:        releaseRefDigest.DigestWithAlg(),
-		PredicateType: shared.ReleasePredicateType,
+		PredicateType: "release",
 		Owner:         baseRepo.RepoOwner(),
 		Repo:          baseRepo.RepoOwner() + "/" + baseRepo.RepoName(),
 		// TODO: Allow this value to be set via a flag.
diff --git a/pkg/cmd/release/verify/verify.go b/pkg/cmd/release/verify/verify.go
index 2654977f7..65516764e 100644
--- a/pkg/cmd/release/verify/verify.go
+++ b/pkg/cmd/release/verify/verify.go
@@ -135,7 +135,7 @@ func verifyRun(config *VerifyConfig) error {
 	// Find all the attestations for the release tag SHA
 	attestations, err := config.AttClient.GetByDigest(api.FetchParams{
 		Digest:        releaseRefDigest.DigestWithAlg(),
-		PredicateType: shared.ReleasePredicateType,
+		PredicateType: "release",
 		Owner:         baseRepo.RepoOwner(),
 		Repo:          baseRepo.RepoOwner() + "/" + baseRepo.RepoName(),
 		Initiator:     "github",