From 01c4625f515443442c23dd5d24f274c88c13fa93 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 8 Oct 2025 10:03:41 -0700
Subject: [PATCH 1/2] fix(provenance): reduce error prone provenance subject
 generation

---
 .github/workflows/build.yml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 58054de2..7f34d565 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -149,7 +149,17 @@ jobs:
 
       - name: Sign
         shell: bash
+        id: sign
         run: |
+          trivalent_rpm_file=$(ls | grep -E '^trivalent-[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+-[0-9]+\.x86_64\.rpm$')
+          if [[ -z "$trivalent_rpm_file" ]]; then
+            echo "Trivalent RPM not found"
+            exit 1
+          fi
+          
+          rpm_hash=$(sha256sum "${trivalent_rpm_file}" | base64 -w0)
+          echo "hashes=${rpm_hash}" >> "$GITHUB_OUTPUT"
+
           rpm --addsign *.rpm
           reposync --repo secureblue -y
           mv *.rpm secureblue/Packages
@@ -157,15 +167,6 @@ jobs:
           rm -rf repodata
           createrepo .
           gpg --detach-sign --local-user 26B4463ED8F313BC7E3FBDF9D9223AF0F47B3E41 --armor repodata/repomd.xml
-          
-      - name: Generate subject
-        id: hash
-        run: |
-          set -euo pipefail
-
-          trivalent_rpm_file=$(find ./secureblue -name "trivalent-*.rpm" ! -name "trivalent-qt6-ui-*.rpm")
-          hashes=$(sha256sum "${trivalent_rpm_file}" | base64 -w0)
-          echo "hashes=${hashes}" >> "$GITHUB_OUTPUT"
 
       - name: Upload RPM and logs to R2 to trivalent Bucket
         shell: bash

From 5474fca750ed389fc7b910145e4f0d594924fba5 Mon Sep 17 00:00:00 2001
From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com>
Date: Wed, 8 Oct 2025 10:07:53 -0700
Subject: [PATCH 2/2] Update build.yml

---
 .github/workflows/build.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7f34d565..2beaa3c2 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -149,7 +149,6 @@ jobs:
 
       - name: Sign
         shell: bash
-        id: sign
         run: |
           trivalent_rpm_file=$(ls | grep -E '^trivalent-[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+-[0-9]+\.x86_64\.rpm$')
           if [[ -z "$trivalent_rpm_file" ]]; then