fixed github actions

2026-03-29 12:32:14 -07:00 · 2026-03-29 12:32:14 -07:00 · ac2198e3bd
commit ac2198e3bd
parent 482a60bb9d
4 changed files with 10 additions and 5 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -427,7 +427,11 @@ jobs:
          mkdir -p assets
          gh release download "${TAG_NAME}" \
            --repo "${{ github.repository }}" \
-            --dir assets
+            --dir assets \
+            --pattern '*.tgz' \
+            --pattern '*.deb' \
+            --pattern '*.rpm' \
+            --pattern '*.zip'

      - name: Compute SHA256 hashes
        id: hash
--- a/README.md
+++ b/README.md
@ -315,7 +315,7 @@ Each GitHub release includes a `multiple.intoto.jsonl` provenance file. Verify a
 go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest

 # Download the artifact and provenance from the release
-gh release download v1.91.0 --repo mongodb/kingfisher \
+gh release download <version> --repo mongodb/kingfisher \
  --pattern 'kingfisher-linux-x64.tgz' \
  --pattern 'multiple.intoto.jsonl'

@ -330,7 +330,7 @@ slsa-verifier verify-artifact kingfisher-linux-x64.tgz \
 Release artifacts also have GitHub build attestations, verifiable with the GitHub CLI:

 ```bash
-gh release download v1.91.0 --repo mongodb/kingfisher \
+gh release download <version> --repo mongodb/kingfisher \
  --pattern 'kingfisher-linux-x64.tgz'

 gh attestation verify kingfisher-linux-x64.tgz --repo mongodb/kingfisher
--- a/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
+++ b/crates/kingfisher-rules/data/rules/azure-notification-hub.yml
@ -149,7 +149,8 @@ rules:
              {%- assign se = "" | unix_timestamp | plus: 300 -%}
              {%- capture to_sign -%}{{ uri | url_encode }}
              {{ se }}{%- endcapture -%}
-              {%- capture auth -%}SharedAccessSignature sr={{ uri | url_encode }}&sig={{ to_sign | hmac_sha256: TOKEN | url_encode }}&se={{ se }}&skn={{ NH_KEY_NAME | url_encode }}{%- endcapture -%}
+              {%- assign key_bytes = TOKEN | b64dec -%}
+              {%- capture auth -%}SharedAccessSignature sr={{ uri | url_encode }}&sig={{ to_sign | hmac_sha256: key_bytes | url_encode }}&se={{ se }}&skn={{ NH_KEY_NAME | url_encode }}{%- endcapture -%}
              {{ auth | strip_newlines }}
          response_matcher:
            - report_response: true
--- a/crates/kingfisher-rules/data/rules/fullstory.yml
+++ b/crates/kingfisher-rules/data/rules/fullstory.yml
@ -32,7 +32,7 @@ rules:
          method: GET
          url: https://api.fullstory.com/me
          headers:
-            Authorization: Basic {{ TOKEN }}
+            Authorization: Basic {{ TOKEN | append: ':' | b64enc }}
            Accept: application/json
          response_matcher:
            - report_response: true