From 89653a5b3e3fb048008fbadc4f76e6327406cb3e Mon Sep 17 00:00:00 2001
From: DSR! <xchwarze@gmail.com>
Date: Tue, 20 May 2025 13:36:42 -0300
Subject: [PATCH] Add sign code

---
 .github/workflows/sign.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml
index 37539e9..c858263 100644
--- a/.github/workflows/sign.yml
+++ b/.github/workflows/sign.yml
@@ -39,14 +39,14 @@ jobs:
             });
             return latest.data.tag_name;
 
-      - name: Download release assets
-        uses: repo-sync/download-release@v2
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          owner: ${{ github.repository_owner }}
-          repo: ${{ github.repository }}
-          tag: ${{ steps.tag.outputs.result }}
-          pattern: '*.exe'
+      - name: Download release assets via GH CLI
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release download ${{ steps.tag.outputs.result }} \
+            --repo ${{ github.repository }} \
+            --pattern '*.exe' \
+            --dir artifacts
 
       - name: Install cosign
         run: |
@@ -66,7 +66,7 @@ jobs:
         env:
           COSIGN_EXPERIMENTAL: '1'
         run: |
-          for exe in *.exe; do
+          for exe in artifacts/*.exe; do
             ./cosign sign-blob \
               --identity-token "${{ steps.oidc.outputs.result }}" \
               "$exe"
@@ -74,7 +74,7 @@ jobs:
 
       - name: Verify signatures
         run: |
-          for exe in *.exe; do
+          for exe in artifacts/*.exe; do
             ./cosign verify-blob \
               --certificate-identity "https://github.com/${{ github.repository }}" \
               "$exe" --signature "$exe.sig"