diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9cf1000..af21408 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -438,7 +438,13 @@ jobs:
         run: |
           set -euo pipefail
           cd assets
-          echo "hashes=$(sha256sum -- * | base64 -w0)" >> "$GITHUB_OUTPUT"
+          shopt -s nullglob
+          files=( * )
+          if [ ${#files[@]} -eq 0 ]; then
+            echo "Error: no release assets found to hash in $(pwd)" >&2
+            exit 1
+          fi
+          echo "hashes=$(sha256sum -- "${files[@]}" | base64 -w0)" >> "$GITHUB_OUTPUT"
 
   provenance:
     name: Generate SLSA provenance
diff --git a/crates/kingfisher-rules/data/rules/etsy.yml b/crates/kingfisher-rules/data/rules/etsy.yml
index 7b89bca..b617efd 100644
--- a/crates/kingfisher-rules/data/rules/etsy.yml
+++ b/crates/kingfisher-rules/data/rules/etsy.yml
@@ -41,7 +41,7 @@ rules:
           method: GET
           url: https://api.etsy.com/v3/application/openapi-ping
           headers:
-            x-api-key: '{{ TOKEN }}'
+            x-api-key: '{{ TOKEN | split: ":" | first }}'
             Accept: application/json
           response_matcher:
             - report_response: true