undo: fix release

Author: shubham-stepsecurity

.github/workflows/release.yml

@@ -69,30 +69,52 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
-      - name: Sign artifacts with Sigstore (keyless)
+      - name: Locate built binaries
+        id: binaries
         run: |
-          # Sign Go binaries
-          for bin in dist/stepsecurity-dev-machine-guard_darwin_*/stepsecurity-dev-machine-guard; do
-            cosign sign-blob "$bin" --bundle "${bin}.bundle" --yes
+          # GoReleaser with format:binary creates flat release files in dist/
+          AMD64="dist/stepsecurity-dev-machine-guard_darwin_amd64"
+          ARM64="dist/stepsecurity-dev-machine-guard_darwin_arm64"
+
+          # Verify they exist
+          for f in "$AMD64" "$ARM64"; do
+            if [ ! -f "$f" ]; then
+              echo "::error::Expected binary not found: $f"
+              echo "dist/ contents:"
+              ls -la dist/
+              exit 1
+            fi
           done
-          # Sign shell script
+
+          echo "amd64=${AMD64}" >> "$GITHUB_OUTPUT"
+          echo "arm64=${ARM64}" >> "$GITHUB_OUTPUT"
+          echo "Found amd64: ${AMD64} ($(stat --printf='%s' "$AMD64") bytes)"
+          echo "Found arm64: ${ARM64} ($(stat --printf='%s' "$ARM64") bytes)"
+
+      - name: Sign artifacts with Sigstore (keyless)
+        run: |
+          cosign sign-blob "${{ steps.binaries.outputs.amd64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle --yes
+          cosign sign-blob "${{ steps.binaries.outputs.arm64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle --yes
           cosign sign-blob stepsecurity-dev-machine-guard.sh \
-            --bundle stepsecurity-dev-machine-guard.sh.bundle --yes
+            --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
 
       - name: Generate checksums
         run: |
-          cd dist
-          sha256sum stepsecurity-dev-machine-guard_darwin_*/stepsecurity-dev-machine-guard >> stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS
-          cd ..
-          sha256sum stepsecurity-dev-machine-guard.sh >> dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS
+          SUMS="dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS"
+          sha256sum "${{ steps.binaries.outputs.amd64 }}" >> "$SUMS"
+          sha256sum "${{ steps.binaries.outputs.arm64 }}" >> "$SUMS"
+          sha256sum stepsecurity-dev-machine-guard.sh >> "$SUMS"
 
       - name: Upload signature bundles and checksums to release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release upload "${{ steps.version.outputs.tag }}" \
-            dist/stepsecurity-dev-machine-guard_darwin_*/stepsecurity-dev-machine-guard.bundle \
-            stepsecurity-dev-machine-guard.sh.bundle \
+            dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle \
+            dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle \
+            dist/stepsecurity-dev-machine-guard.sh.bundle \
             dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS \
             --clobber
 
@@ -109,6 +131,6 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: |
-            dist/stepsecurity-dev-machine-guard_darwin_amd64_v1/stepsecurity-dev-machine-guard
-            dist/stepsecurity-dev-machine-guard_darwin_arm64_v1/stepsecurity-dev-machine-guard
+            dist/stepsecurity-dev-machine-guard_darwin_amd64
+            dist/stepsecurity-dev-machine-guard_darwin_arm64
             stepsecurity-dev-machine-guard.sh