pub fn collect_release_attestations(
owner: &str,
repo: &str,
tag: &str,
assets: &[ReleaseAsset],
) -> EvidenceState<Vec<ArtifactAttestation>>Expand description
Download release assets to a temporary directory, verify attestations for each,
and return an EvidenceState suitable for EvidenceBundle.artifact_attestations.
Assets that lack attestations are recorded as unverified rather than causing an error, so the overall assessment can still proceed.