Description
The actions/attest step in release-stable.yml fails with "SBOM file not found" during the dependency SBOM attestation step.
Root Cause
The dependency SBOM is downloaded by actions/download-artifact into ./dist alongside VSIX files, but the attestation step expects the SBOM at ./sbom/dependency-sbom.spdx.json. The sbom-diff job's download also collides with the main dist directory.
Expected Behavior
Dependency SBOM should be downloaded to an isolated ./sbom directory, and attestation should reference the correct path.
Observed Behavior
Attestation step fails because ./sbom/dependency-sbom.spdx.json does not exist — the file was downloaded to ./dist instead.
Reproduction
Run the stable release workflow (release-stable.yml) end-to-end. The attestation step in the publish-github-release job fails.
Description
The
actions/atteststep inrelease-stable.ymlfails with "SBOM file not found" during the dependency SBOM attestation step.Root Cause
The dependency SBOM is downloaded by
actions/download-artifactinto./distalongside VSIX files, but the attestation step expects the SBOM at./sbom/dependency-sbom.spdx.json. Thesbom-diffjob's download also collides with the main dist directory.Expected Behavior
Dependency SBOM should be downloaded to an isolated
./sbomdirectory, and attestation should reference the correct path.Observed Behavior
Attestation step fails because
./sbom/dependency-sbom.spdx.jsondoes not exist — the file was downloaded to./distinstead.Reproduction
Run the stable release workflow (
release-stable.yml) end-to-end. The attestation step in thepublish-github-releasejob fails.