Commit 5105296
authored
fix(release): publish SBOMs flat so their SHA256SUMS lines verify (#590)
The SBOMs were written to dist/sbom/ and checksummed as sbom/<name>.cdx.json,
but they publish as FLAT release assets (<name>.cdx.json), so 'sha256sum -c'
could not find them and the .cdx.json lines failed. Emit the SBOMs directly
into dist/ and reference them flat in the checksum manifest and the upload
list, so every SHA256SUMS line (packages AND SBOMs) resolves against a served
asset. The loop still scans only packages + the bare binary, never a .cdx.json.1 parent 8aa00d7 commit 5105296
1 file changed
Lines changed: 9 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
133 | 133 | | |
134 | 134 | | |
135 | 135 | | |
136 | | - | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
137 | 141 | | |
138 | 142 | | |
139 | 143 | | |
140 | 144 | | |
141 | 145 | | |
142 | | - | |
| 146 | + | |
143 | 147 | | |
144 | | - | |
| 148 | + | |
145 | 149 | | |
146 | 150 | | |
147 | 151 | | |
148 | 152 | | |
149 | | - | |
| 153 | + | |
150 | 154 | | |
151 | 155 | | |
152 | 156 | | |
| |||
195 | 199 | | |
196 | 200 | | |
197 | 201 | | |
198 | | - | |
| 202 | + | |
199 | 203 | | |
0 commit comments