chore: update upload/download GH actions + update signing step - BED-8167

[StranDutton]

Summary: This PR brings two actions (upload-artifact & download-artifact) back to the latest versions and adjusts the publish workflow / sign step so it works correctly with the new behavior.

Resolves BED-8167

Summary by CodeRabbit

• Chores
  • Updated CI/CD artifact upload and download actions to newer releases for improved reliability.
  • Made artifact handling more specific (name-based paths) to ensure correct files are used during signing and publishing.

[coderabbitai]

Walkthrough

Bump artifact action pins in build and publish workflows; publish's sign job now downloads a named artifact into unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }} instead of a pattern-based unsigned/.

Changes

GitHub Actions Dependency Updates

Layer / File(s)	Summary
Build: OCI tar upload action pin .github/workflows/build.yml	actions/upload-artifact pin updated to v7.0.1 for the "Upload OCI tarball" step.
Publish: upload pin and sign-job download path .github/workflows/publish.yml	In build job, actions/upload-artifact bumped to v7.0.1. In sign job, actions/download-artifact bumped to v8.0.1 and download changed from pattern-based output to name-based download into unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through YAML with a careful paw,
Pins nudged forward without a flaw.
Artifacts landed in tidy bins,
Names now guide where each one spins.
CI hums on — small, contented awe.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: updating GitHub Actions for artifact upload/download and the signing step, with a specific issue reference (BED-8167).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-8167-upgrade-artifact-actions

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 94-98: The workflow currently manually extracts artifacts in the
"Extract downloaded artifact" step (the unzip and rm commands) which conflicts
with download-artifact@v8.0.1's automatic decompression; either remove this
manual extraction step entirely and rely on download-artifact v8
auto-extraction, or modify the download-artifact invocation to include
skip-decompress: true so that the manual unzip (unzip -o *.zip) remains
valid—update the publish.yml workflow accordingly to use one of these two
approaches consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a205f9dd-90e4-4939-a0ea-ee030b1fe27d

📥 Commits

Reviewing files that changed from the base of the PR and between 7a00010 and ea70562.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/publish.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 7-9: Remove the temporary pull_request trigger block (the
top-level pull_request: ... section added as a test) and revert any PR-only
conditional skips that were added (the conditionals or steps gating behavior on
github.event_name == 'pull_request' or labeled as PR-only skips) so the workflow
returns to its original release triggers and behavior; locate the pull_request
key and any occurrences of PR-only skip logic and delete or restore them to the
pre-test state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 647bc78c-dcbb-4c38-b2ae-e5392e5cce2e

📥 Commits

Reviewing files that changed from the base of the PR and between ea70562 and 31a1821.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

[StranDutton]

Tested locally by temporarily allowing the sign job to run in the PR, reverted after successful test. Here is the link to the run: chore: update upload/download GH actions + update signing step - BED-8167 · SpecterOps/AzureHound@90dbc9d

[StranDutton]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.