Add SBOM release metadata#4
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 064e032ad7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| marketplace_doc="$(find release-assets -type f -name 'MARKETPLACE_SUBMISSION.md' | sort | head -n 1)" | ||
| checksum_files=("${files[@]}") | ||
| checksum_files=("${files[@]}" "$sbom_file") |
There was a problem hiding this comment.
For users who download the GitHub release assets into a normal directory and follow the newly documented sha256sum -c SHA256SUMS.txt, this adds the SBOM to the checksum file under its runner path (release-assets/MarkdownTableEditorIdea-...-sbom.cdx.json), while gh release upload publishes it as just the basename. sha256sum --help confirms --check reads the filenames from the checksum file, so the SBOM verification entry will fail unless the user recreates the CI directory layout; write checksums from the asset upload directory or strip the release-assets/ prefix before publishing.
Useful? React with 👍 / 👎.
1 participant
Summary
Validation
git diff --check