Post-release cleanup; add SBOM to CI artifacts

xenago · xenago · commit d9e5c4f2f7d8 · 2024-06-05T12:35:32.000-04:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -117,6 +117,7 @@ jobs:
           body_path: ${{github.workspace}}/changelog/CHANGELOG.txt
           fail_on_unmatched_files: true
           files: |
+            sbom.spdx.json
             target/debian/*_amd64.deb
             target/debian/*_arm64.deb
             target/generate-rpm/*.x86_64.rpm
diff --git a/README.md b/README.md
@@ -54,20 +54,20 @@ to be used with NSS.
 
    **AMD64 deb:**
     ```
-    curl -sLo libnss_shim.deb https://github.com/xenago/libnss_shim/releases/download/1.2.0/libnss_shim_1.2.0_amd64.deb
+    curl -sLo libnss_shim.deb https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim_1.2.1-1_amd64.deb
     ```
    **AMD64 RPM:**
     ```
-    curl -sLo libnss_shim.rpm https://github.com/xenago/libnss_shim/releases/download/1.2.0/libnss_shim-1.2.0-1.x86_64.rpm
+    curl -sLo libnss_shim.rpm https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim-1.2.1-1.x86_64.rpm
     ```
    **Full table:**
 
    | Architecture | Package | Link                                                                                                                               |
    |--------------|---------|------------------------------------------------------------------------------------------------------------------------------------|
-   | `amd64`      | `deb`   | [`libnss_shim_1.2.0_amd64.deb`](https://github.com/xenago/libnss_shim/releases/download/1.2.0/libnss_shim_1.2.0_amd64.deb)         |
-   | `amd64`      | `RPM`   | [`libnss_shim-1.2.0-1.x86_64.rpm`](https://github.com/xenago/libnss_shim/releases/download/1.2.0/libnss_shim-1.2.0-1.x86_64.rpm)   |
-   | `aarch64`    | `deb`   | [`libnss_shim_1.2.0_arm64.deb`](https://github.com/xenago/libnss_shim/releases/download/1.2.0/libnss_shim_1.2.0_arm64.deb)         |
-   | `aarch64`    | `RPM`   | [`libnss_shim-1.2.0-1.aarch64.rpm`](https://github.com/xenago/libnss_shim/releases/download/1.2.0/libnss_shim-1.2.0-1.aarch64.rpm) |
+   | `amd64`      | `deb`   | [`libnss_shim_1.2.1-1_amd64.deb`](https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim_1.2.1-_amd64.deb)      |
+   | `amd64`      | `RPM`   | [`libnss_shim-1.2.1-1.x86_64.rpm`](https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim-1.2.1-1.x86_64.rpm)   |
+   | `aarch64`    | `deb`   | [`libnss_shim_1.2.1-1_arm64.deb`](https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim_1.2.1-1_arm64.deb)     |
+   | `aarch64`    | `RPM`   | [`libnss_shim-1.2.1-1.aarch64.rpm`](https://github.com/xenago/libnss_shim/releases/download/1.2.1/libnss_shim-1.2.1-1.aarch64.rpm) |
 
 3. Install or upgrade it directly with `dpkg` or `rpm`.
 
@@ -390,8 +390,6 @@ can be used (available for versions `>=1.2.1`). Example command:
 
     gh attestation verify /path/to/libnss_shim.deb -R xenago/libnss_shim
 
-SBOM artifacts are produced in CI for each build.
-
 Please report problems by creating GitHub Issues or [private advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
 
 ## Development
diff --git a/changelog/CHANGELOG.txt b/changelog/CHANGELOG.txt
@@ -1,16 +1 @@
-- Adjust default permission of `config.json` to 644
-- Add note to README about script permissions for users (`group`/`passwd` OK public, `shadow` best private)
-- Add advanced example with scripts for each function and a Dockerfile
-- Migrate to a single configurable build script with CPU architecture detection
-- Explicitly set `contents` permission to `write` in CI
-- From this release onwards, deb packages will have a `-1` version suffix to match RPM
-- Bump `cargo-deb` to `2.2.0`
-- Bump ubuntu build container to `24.04`
-- Bump `actions/checkout` to `v4`
-- Bump `softprops/action-gh-release` to `v2`
-- Improve install documentation
-- Add package table to README
-- Document install test command from GIF in README
-- Link sections in README.md
-- Add reporting info to README.md
-- Reformat resources, add additional linked resources
+- Add SBOM to CI release files
diff --git a/changelog/CHANGELOG_1.2.1.txt b/changelog/CHANGELOG_1.2.1.txt
@@ -0,0 +1,16 @@
+- Adjust default permission of `config.json` to 644
+- Add note to README about script permissions for users (`group`/`passwd` OK public, `shadow` best private)
+- Add advanced example with scripts for each function and a Dockerfile
+- Migrate to a single configurable build script with CPU architecture detection
+- Explicitly set `contents` permission to `write` in CI
+- From this release onwards, deb packages will have a `-1` version suffix to match RPM
+- Bump `cargo-deb` to `2.2.0`
+- Bump ubuntu build container to `24.04`
+- Bump `actions/checkout` to `v4`
+- Bump `softprops/action-gh-release` to `v2`
+- Improve install documentation
+- Add package table to README
+- Document install test command from GIF in README
+- Link sections in README.md
+- Add reporting info to README.md
+- Reformat resources, add additional linked resources
