From 6c4931000334fe7349a622ae9005613953c97cc1 Mon Sep 17 00:00:00 2001
From: Gary Oberbrunner <garyo@darkstarsystems.com>
Date: Tue, 26 Nov 2024 11:24:09 -0500
Subject: [PATCH] Fix Rocky asset upload: install gh

Signed-off-by: Gary Oberbrunner <garyo@darkstarsystems.com>
---
 .github/workflows/build.yml | 10 +++++++---
 readme.md                   |  4 ++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 32de5185..797b7c6b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -245,9 +245,13 @@ jobs:
         uses: ConorMacBride/install-package@v1
         if: ${{ matrix.aswfdockerbuild == false }}
         with:
-          apt: libgl-dev libgl1-mesa-dev gh
-          brew: ''
-          brew-cask: ''
+          apt: libgl-dev libgl1-mesa-dev
+
+      - name: Install gh cli if needed
+        uses: ConorMacBride/install-package@v1
+        if: ${{ matrix.aswfdockerbuild == true }}
+        with:
+          apt: gh
 
       - name: Setup MSVC
         if: startsWith(matrix.os, 'windows')
diff --git a/readme.md b/readme.md
index ea2ad209..0ae65485 100644
--- a/readme.md
+++ b/readme.md
@@ -64,7 +64,7 @@ See instructions in [Documentation/README.md](Documentation/README.md).
 
 # Releases
 
-Release bundles are named like `openfx-<OS>-release-<REL>.zip` and `openfx-plugins-<OS>-release-<REL>.zip`.
+Release bundles are named like `openfx-<OS>-release-<REL>.tar.gz` and `openfx_plugins-<OS>-release-<REL>.tar.gz`.
 The `openfx-*` bundles contain all the header files as well as the support libs. They look like this:
 
 ```
@@ -86,7 +86,7 @@ The `openfx-plugins-*` bundles contain all the sample plugins for the OS. Copy t
 
 We use [`sigstore`](https://github.com/marketplace/actions/gh-action-sigstore-python) to sign our github releases. 
 Release signatures are created using short-lived certificates, and audit trails are stored online using `rekor.sigstore.com`. 
-To verify a release artifact (zip file), unpack the zip into a `.tgz` and its associated `.tgz.sigstore.json`, and then use [`cosign`](https://docs.sigstore.dev/cosign/system_config/installation/) to verify the signature like this:
+To verify a release artifact (`.tar.gz` file), download its associated `.tar.gz.sigstore.json`, and then use [`cosign`](https://docs.sigstore.dev/cosign/system_config/installation/) to verify the signature like this:
 ```
 cosign verify-blob \
   openfx-mac-release-x.y.tar.gz \