terraform: Add support for GitHub Attestations in TFLint installation

[wata727]

Fixes #1563

[Kaniska244]

Hi @wata727

Thank you for the contribution. Would you kindly bump the feature version and look into the failing test?

[Kaniska244]

Hi @wata727

Instead of pinning a specific version, would you kindly incorporate the gh attestation verify logic in tflint_fallback_test.sh test script?

[wata727]

Fixed.

By the way, passing the bundle directly allows gh at verify to run even without a GITHUB_TOKEN, but this leaves a rate limiting issue. However, since we're using GitHub's artifact attestations, there seems to be no way to avoid this.

What are your thoughts on this issue? Can we just ignore it since it's unlikely to happen very often?

[nranderson]

@Kaniska244 Would appreciate if this update could be prioritized. It appears the endpoint cosign was using has been removed and our builds are now failing without this update.

[2026-05-26T13:17:25.942Z] 
20.99 Error: searching log query: Post "https://rekor.sigstore.dev/api/v1/log/en
[2026-05-26T13:17:25.942Z] 
ntries/retrieve": POST https://rekor.sigstore.dev/api/v1/log/entries/retrieve giv
ving up after 4 attempt(s): Post "https://rekor.sigstore.dev/api/v1/log/entries/r
[2026-05-26T13:17:25.942Z] 
retrieve": dial tcp 127.232.108.0:443: connect: connection refused
[2026-05-26T13:17:25.942Z] 
20.99 error during command execution: searching log query: Post "https://rekor.s
[2026-05-26T13:17:25.942Z] 
sigstore.dev/api/v1/log/entries/retrieve": POST https://rekor.sigstore.dev/api/v1
1/log/entries/retrieve giving up after 4 attempt(s): Post "https://rekor.sigstore
[2026-05-26T13:17:25.942Z] 
e.dev/api/v1/log/entries/retrieve": dial tcp 127.232.108.0:443: connect: connecti
[2026-05-26T13:17:25.942Z] 
ion refused
[2026-05-26T13:17:25.942Z] 
21.00 ERROR: Feature "Terraform, tflint, and TFGrunt" (ghcr.io/devcontainers/fea
[2026-05-26T13:17:25.942Z]