Skip to content

Attach NuGet packages and SBOM to GitHub Release#4637

Merged
jbogard merged 1 commit into
mainfrom
release-attach-assets
May 16, 2026
Merged

Attach NuGet packages and SBOM to GitHub Release#4637
jbogard merged 1 commit into
mainfrom
release-attach-assets

Conversation

@jbogard
Copy link
Copy Markdown
Contributor

@jbogard jbogard commented May 15, 2026
edited
Loading

Summary

  • Grants contents: write to the Release workflow so it can attach assets to the release the maintainer creates in the UI.
  • Adds an "Attach assets to GitHub Release" step in the build-windows job that uses the preinstalled gh CLI to upload the signed *.nupkg, *.snupkg, and SBOM (manifest.spdx.json + .sha256) to the release for the pushed tag. Runs after Push to NuGet, uses --clobber so re-runs of the same tag refresh assets instead of failing.

Test plan

No safe pre-merge rehearsal: the workflow triggers on any *.*.* tag and the new step runs after Push to MyGet/NuGet, so a throwaway tag like 99.0.0-test1 would publish a real package to NuGet.org (which only allows unlisting, not deletion within 72 hours).

Verification happens on the next real release:

  • After the next release, confirm the "Attach assets to GitHub Release" step succeeds.
  • Confirm four assets land on the release page: AutoMapper.<ver>.nupkg, AutoMapper.<ver>.snupkg, manifest.spdx.json, manifest.spdx.json.sha256.

If the new step fails, the packages are already on the public feeds; re-run the job (idempotent via --clobber) or run gh release upload <tag> <files> --clobber locally as a fallback.

🤖 Generated with Claude Code

@jbogard @claude
Attach NuGet packages and SBOM to GitHub Release
e5e6a4f 
Grant contents: write so the Release workflow can attach assets to the
release the maintainer creates in the UI. Add a step that uses the
preinstalled gh CLI to upload the signed *.nupkg, *.snupkg, and the SBOM
(manifest.spdx.json + .sha256) to the release for the pushed tag, with
--clobber so re-runs of the same tag refresh assets instead of failing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jbogard jbogard requested a review from Copilot May 15, 2026 22:21
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Extends the Release workflow so that, after publishing to NuGet, the signed packages and the generated SBOM are uploaded as assets to the GitHub Release that the maintainer created for the pushed tag.

Changes:

  • Elevates the workflow's contents permission from read to write so the workflow can attach release assets.
  • Adds a new "Attach assets to GitHub Release" step in build-windows that uses gh release upload with --clobber to push *.nupkg, *.snupkg, and the SPDX SBOM (manifest.spdx.json and its .sha256) to the release for the current tag.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jbogard jbogard merged commit b57c206 into main May 16, 2026
12 checks passed
@jbogard jbogard deleted the release-attach-assets branch May 16, 2026 14:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

Internal refactoring

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbogard