From 39d7db67dadaf75d35cca4755e9fdd4174ba4e21 Mon Sep 17 00:00:00 2001
From: Claude Code <noreply@anthropic.com>
Date: Thu, 18 Dec 2025 16:30:16 +0000
Subject: [PATCH] fix(github): use version_prefix when fetching release for
 SLSA verification
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The SLSA verification was failing for tools with custom version_prefix
(e.g., grain with `version_prefix=grain-v`, bitwarden-secrets-manager
with `version_prefix=bws-v`) because it was only trying `version` and
`v{version}` instead of respecting the configured prefix.

Fix by using the existing `try_with_v_prefix` helper which properly
handles version_prefix options.

Fixes tools like:
- grain (version_prefix=grain-v)
- bitwarden-secrets-manager (version_prefix=bws-v)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/backend/github.rs | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/src/backend/github.rs b/src/backend/github.rs
index 9afac3193d..b74cb3f1f1 100644
--- a/src/backend/github.rs
+++ b/src/backend/github.rs
@@ -976,19 +976,20 @@ impl UnifiedGitBackend {
         let api_url = self.get_api_url(&opts);
         let version = &tv.version;
 
-        // Try to get the release (with optional v prefix)
-        let release = match github::get_release_for_url(&api_url, &repo, version).await {
+        // Try to get the release (with version prefix support)
+        let version_prefix = opts.get("version_prefix").map(|s| s.as_str());
+        let release = match try_with_v_prefix(version, version_prefix, |candidate| {
+            let api_url = api_url.clone();
+            let repo = repo.clone();
+            async move { github::get_release_for_url(&api_url, &repo, &candidate).await }
+        })
+        .await
+        {
             Ok(r) => r,
-            Err(_) => {
-                // Try with v prefix
-                match github::get_release_for_url(&api_url, &repo, &format!("v{}", version)).await {
-                    Ok(r) => r,
-                    Err(e) => {
-                        return Err(VerificationStatus::Error(format!(
-                            "Failed to get release: {e}"
-                        )));
-                    }
-                }
+            Err(e) => {
+                return Err(VerificationStatus::Error(format!(
+                    "Failed to get release: {e}"
+                )));
             }
         };