SLSA provenance verification broken for 0.13.0

[imjasonh]

https://github.com/google/go-containerregistry/releases/tag/v0.13.0 was cut earlier, and the verification phase of the release failed: https://github.com/google/go-containerregistry/actions/runs/3998908027/jobs/6862265563

Download assets
  gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
  gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "attestation.intoto.jsonl"
no assets match the file pattern

And indeed, there isn't any attestation.intoto.jsonl in the release, there's only multiple.intoto.jsonl.

The provenance generation and verification steps of the 0.12.0 and 0.12.1 and 0.11.0 releases also had breakages:

• deps: bump version of slsa generator #1468
• Bump slsa-framework/slsa-github-generator to 1.2.2 #1489
• deps: update goreleaser-action for bug #1444

Unless we can be sure that provenance is generated and can be verified correctly, I'm sort of inclined to remove the attestation until they can be made more reliable. It's worse to me to have misleading or broken or unverifiable provenance than to have no provenance at all.

@asraa @laurentsimon

[laurentsimon]

/cc @ianlewis
Theattestation.intoto.jsonl was renamed to multiple.intoto.jsonl and the semver of the builder did not reflect that change.
Let me send a PR to update the file name in the verification part. Sorry about this. Nothing is broken, the attestation still exists and verification will work.