undo: fix release

Author: shubham-stepsecurity

.github/workflows/release.yml

@@ -69,30 +69,53 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
-      - name: Sign artifacts with Sigstore (keyless)
+      - name: Locate built binaries
+        id: binaries
         run: |
-          # Sign Go binaries
-          for bin in dist/stepsecurity-dev-machine-guard_darwin_*/stepsecurity-dev-machine-guard; do
-            cosign sign-blob "$bin" --bundle "${bin}.bundle" --yes
+          # GoReleaser keeps binaries in build subdirs (e.g. _amd64_v1, _arm64_v8.0)
+          AMD64=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_amd64*' | head -1)
+          ARM64=$(find dist -type f -name 'stepsecurity-dev-machine-guard' -path '*darwin_arm64*' | head -1)
+
+          for label in "amd64:${AMD64}" "arm64:${ARM64}"; do
+            name="${label%%:*}"
+            path="${label#*:}"
+            if [ -z "$path" ] || [ ! -f "$path" ]; then
+              echo "::error::Binary not found for ${name}"
+              echo "dist/ contents:"
+              find dist -type f
+              exit 1
+            fi
           done
-          # Sign shell script
+
+          echo "amd64=${AMD64}" >> "$GITHUB_OUTPUT"
+          echo "arm64=${ARM64}" >> "$GITHUB_OUTPUT"
+          echo "Found amd64: ${AMD64}"
+          echo "Found arm64: ${ARM64}"
+
+      - name: Sign artifacts with Sigstore (keyless)
+        run: |
+          cosign sign-blob "${{ steps.binaries.outputs.amd64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle --yes
+          cosign sign-blob "${{ steps.binaries.outputs.arm64 }}" \
+            --bundle dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle --yes
           cosign sign-blob stepsecurity-dev-machine-guard.sh \
-            --bundle stepsecurity-dev-machine-guard.sh.bundle --yes
+            --bundle dist/stepsecurity-dev-machine-guard.sh.bundle --yes
 
       - name: Generate checksums
         run: |
-          cd dist
-          sha256sum stepsecurity-dev-machine-guard_darwin_*/stepsecurity-dev-machine-guard >> stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS
-          cd ..
-          sha256sum stepsecurity-dev-machine-guard.sh >> dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS
+          SUMS="dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS"
+          sha256sum "${{ steps.binaries.outputs.amd64 }}" >> "$SUMS"
+          sha256sum "${{ steps.binaries.outputs.arm64 }}" >> "$SUMS"
+          sha256sum stepsecurity-dev-machine-guard.sh >> "$SUMS"
 
       - name: Upload signature bundles and checksums to release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release upload "${{ steps.version.outputs.tag }}" \
-            dist/stepsecurity-dev-machine-guard_darwin_*/stepsecurity-dev-machine-guard.bundle \
-            stepsecurity-dev-machine-guard.sh.bundle \
+            dist/stepsecurity-dev-machine-guard_darwin_amd64.bundle \
+            dist/stepsecurity-dev-machine-guard_darwin_arm64.bundle \
+            dist/stepsecurity-dev-machine-guard.sh.bundle \
             dist/stepsecurity-dev-machine-guard_${{ steps.version.outputs.version }}_SHA256SUMS \
             --clobber
 
@@ -109,6 +132,6 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: |
-            dist/stepsecurity-dev-machine-guard_darwin_amd64_v1/stepsecurity-dev-machine-guard
-            dist/stepsecurity-dev-machine-guard_darwin_arm64_v1/stepsecurity-dev-machine-guard
+            ${{ steps.binaries.outputs.amd64 }}
+            ${{ steps.binaries.outputs.arm64 }}
             stepsecurity-dev-machine-guard.sh