From 2224e5dd3c87de9c3d0d5bb8821241dc9a9f7bd0 Mon Sep 17 00:00:00 2001 From: Swarit Pandey Date: Wed, 15 Apr 2026 14:08:35 +0530 Subject: [PATCH 1/4] fix(ci): find path for windows binary Signed-off-by: Swarit Pandey --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bf26b4f..0f71e01 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -72,8 +72,8 @@ jobs: id: binaries run: | DARWIN=$(find dist -type f -name '*darwin_unnotarized' | head -1) - WIN_AMD64=$(find dist -type f -name '*windows_amd64.exe' | head -1) - WIN_ARM64=$(find dist -type f -name '*windows_arm64.exe' | head -1) + WIN_AMD64=$(find dist -type f -name '*.exe' -path '*windows_amd64*' | head -1) + WIN_ARM64=$(find dist -type f -name '*.exe' -path '*windows_arm64*' | head -1) for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}"; do name="${label%%:*}" From dfc30a2b51c3c4e144650c741e8c9d69f1ebf09e Mon Sep 17 00:00:00 2001 From: Swarit Pandey Date: Wed, 15 Apr 2026 14:33:12 +0530 Subject: [PATCH 2/4] fix: cosign path Signed-off-by: Swarit Pandey --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f71e01..92484a9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -107,7 +107,7 @@ jobs: "${{ steps.binaries.outputs.darwin }}.bundle" \ "${{ steps.binaries.outputs.win_amd64 }}.bundle" \ "${{ steps.binaries.outputs.win_arm64 }}.bundle" \ - dist/stepsecurity-dev-machine-guard.sh.bundle \ + stepsecurity-dev-machine-guard.sh.bundle \ --clobber - name: Attest build provenance From d4909fe7733b4bec15f29ac33fb7751b137c1e48 Mon Sep 17 00:00:00 2001 From: Swarit Pandey Date: Wed, 15 Apr 2026 14:57:30 +0530 Subject: [PATCH 3/4] fix: resolve draft release Signed-off-by: Swarit Pandey --- .github/workflows/release.yml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 92484a9..ca9b0e9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -65,6 +65,23 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Resolve draft release tag + id: release + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # GoReleaser creates draft releases under an "untagged-*" slug, + # so gh release upload by version tag returns 404. Look up the + # actual tag GitHub assigned to the draft. + release_tag=$(gh api "repos/${{ github.repository }}/releases" \ + --jq '[.[] | select(.draft and .name == "${{ steps.version.outputs.tag }}")] | first | .tag_name') + if [ -z "$release_tag" ] || [ "$release_tag" = "null" ]; then + echo "::error::Could not find draft release for ${{ steps.version.outputs.tag }}" + exit 1 + fi + echo "tag=$release_tag" >> "$GITHUB_OUTPUT" + echo "Resolved draft release tag: $release_tag" + - name: Install cosign uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 @@ -103,7 +120,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - gh release upload "${{ steps.version.outputs.tag }}" \ + gh release upload "${{ steps.release.outputs.tag }}" \ "${{ steps.binaries.outputs.darwin }}.bundle" \ "${{ steps.binaries.outputs.win_amd64 }}.bundle" \ "${{ steps.binaries.outputs.win_arm64 }}.bundle" \ From 2b94cf209dc950349e6379d042cbb08fd97e0f79 Mon Sep 17 00:00:00 2001 From: Swarit Pandey Date: Wed, 15 Apr 2026 15:06:29 +0530 Subject: [PATCH 4/4] fix: cosign naming Signed-off-by: Swarit Pandey --- .github/workflows/release.yml | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ca9b0e9..dddcc04 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,23 +108,24 @@ jobs: - name: Sign artifacts with Sigstore run: | - for artifact in \ - "${{ steps.binaries.outputs.darwin }}" \ - "${{ steps.binaries.outputs.win_amd64 }}" \ - "${{ steps.binaries.outputs.win_arm64 }}" \ - stepsecurity-dev-machine-guard.sh; do - cosign sign-blob "$artifact" --bundle "${artifact}.bundle" --yes - done + cosign sign-blob "${{ steps.binaries.outputs.darwin }}" \ + --bundle dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle --yes + cosign sign-blob "${{ steps.binaries.outputs.win_amd64 }}" \ + --bundle dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle --yes + cosign sign-blob "${{ steps.binaries.outputs.win_arm64 }}" \ + --bundle dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle --yes + cosign sign-blob stepsecurity-dev-machine-guard.sh \ + --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes - name: Upload cosign bundles env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | gh release upload "${{ steps.release.outputs.tag }}" \ - "${{ steps.binaries.outputs.darwin }}.bundle" \ - "${{ steps.binaries.outputs.win_amd64 }}.bundle" \ - "${{ steps.binaries.outputs.win_arm64 }}.bundle" \ - stepsecurity-dev-machine-guard.sh.bundle \ + dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle \ + dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle \ + dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle \ + dist/stepsecurity-dev-machine-guard.sh.bundle \ --clobber - name: Attest build provenance