From e059f0ff5943103bbbfe9cdb864db72c46bf39ec Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Mon, 24 Feb 2025 14:26:37 -0500
Subject: [PATCH 1/2] add an attestations subject checksums file

---
 .github/workflows/release.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2bc6e522..0531ebc9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -292,17 +292,23 @@ jobs:
           merge-multiple: true
           pattern: release-builds-*
 
-      - name: Create Checksums File
+      - name: Create Checksum Files
         shell: bash
         run: |
+
           ls -lAR ./automated-release-build/
+
+          # create checksum file for the attestations
+          shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt
+
+          # create checksum file for the release
           cd ./automated-release-build/
           shasum --algorithm 256 ./* | tee ./checksums.sha256.txt
 
       - name: Attest Build Provenance
         uses: actions/attest-build-provenance@v2
         with:
-          subject-checksums: ./checksums.sha256.txt
+          subject-checksums: ./attestation-subject-checksums.sha256.txt
 
       - name: Draft Release
         uses: goreleaser/goreleaser-action@v6

From d56d6c222e969921b6d2d4d3c188080e5a3a8880 Mon Sep 17 00:00:00 2001
From: Kenneth Bingham <kenneth.bingham@netfoundry.io>
Date: Mon, 24 Feb 2025 14:45:46 -0500
Subject: [PATCH 2/2] place attestations subject checksums file outside git wc

---
 .github/workflows/release.yml | 4 ++--
 .gitignore                    | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0531ebc9..63b37405 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -299,7 +299,7 @@ jobs:
           ls -lAR ./automated-release-build/
 
           # create checksum file for the attestations
-          shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt
+          shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt
 
           # create checksum file for the release
           cd ./automated-release-build/
@@ -308,7 +308,7 @@ jobs:
       - name: Attest Build Provenance
         uses: actions/attest-build-provenance@v2
         with:
-          subject-checksums: ./attestation-subject-checksums.sha256.txt
+          subject-checksums: ./dist/attestation-subject-checksums.sha256.txt
 
       - name: Draft Release
         uses: goreleaser/goreleaser-action@v6
diff --git a/.gitignore b/.gitignore
index a830fe64..4566b841 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,7 @@
 .idea
 .vscode
 *.db
-automated-release-build
+/automated-release-build/
 etc/dev.yml
 etc/dev-frontend.yml
 
@@ -10,7 +10,7 @@ etc/dev-frontend.yml
 node_modules/
 
 # Artifacts
-dist/
+/dist/
 
 # Generated files
 .docusaurus