chore(publish): bump intra-repo action pins to v0.9.0

[vadimpiven]

Activates the v0.9.0 attest-addons and verify-addons actions: sidecar sigstore bundle flow (replaces the Rekor REST client) and the {url, bundleUrl} AddonUrlMap leaf shape.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[greptile-apps]

Greptile Summary

This PR bumps the two intra-repo composite action pins (attest-addons and verify-addons) to the SHA of the previous commit (311ea97…, tagged v0.9.0) and updates the addons input description to reflect the new { url, bundleUrl } AddonUrlMap leaf shape. The two-commit pin-update pattern is clearly documented in the workflow comments and is followed correctly here.

Confidence Score: 5/5

Safe to merge — the change is a routine intra-repo SHA pin bump following the established two-commit pattern.

Only two action SHA pins and one input description string were updated; the pattern is documented in-line and matches the repo's established policy. No logic changes, no new secrets exposure, no migration risk.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/publish.yaml	Bumps both intra-repo action pins (attest-addons and verify-addons) to SHA 311ea97…, tagged v0.9.0, and updates the addons input description to document the new {url, bundleUrl} leaf shape.

_{Reviews (1): Last reviewed commit: "chore(publish): bump intra-repo action p..." | Re-trigger Greptile}