From e5e6a4f673d5b5311d71f021a45959d3193158bd Mon Sep 17 00:00:00 2001
From: Jimmy Bogard <jimmy.bogard@gmail.com>
Date: Fri, 15 May 2026 17:20:07 -0500
Subject: [PATCH] Attach NuGet packages and SBOM to GitHub Release

Grant contents: write so the Release workflow can attach assets to the
release the maintainer creates in the UI. Add a step that uses the
preinstalled gh CLI to upload the signed *.nupkg, *.snupkg, and the SBOM
(manifest.spdx.json + .sha256) to the release for the pushed tag, with
--clobber so re-runs of the same tag refresh assets instead of failing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c89b36ba4a..1ad60755fd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,7 +5,7 @@ on:
       - "*.*.*"
 permissions:
   id-token: write
-  contents: read
+  contents: write
   checks: write
 jobs:
   build:
@@ -91,6 +91,17 @@ jobs:
           NUGET_API_KEY: ${{ secrets.AUTOMAPPER_NUGET_API_KEY }}
         run: ./Push.ps1
         shell: pwsh
+      - name: Attach assets to GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          $assets = @()
+          $assets += Get-ChildItem ./artifacts -Filter *.nupkg | ForEach-Object { $_.FullName }
+          $assets += Get-ChildItem ./artifacts -Filter *.snupkg | ForEach-Object { $_.FullName }
+          $assets += './artifacts/_manifest/spdx_2.2/manifest.spdx.json'
+          $assets += './artifacts/_manifest/spdx_2.2/manifest.spdx.json.sha256'
+          gh release upload ${{ github.ref_name }} $assets --clobber
+        shell: pwsh
       - name: Artifacts
         uses: actions/upload-artifact@v4
         with: