Stable release SBOM attestation fails with "file not found" #1161
Description
Description
The actions/attest step in release-stable.yml fails with "SBOM file not found" during the dependency SBOM attestation step.
Root Cause
The dependency SBOM is downloaded by actions/download-artifact into ./dist alongside VSIX files, but the attestation step expects the SBOM at ./sbom/dependency-sbom.spdx.json. The sbom-diff job's download also collides with the main dist directory.
Expected Behavior
Dependency SBOM should be downloaded to an isolated ./sbom directory, and attestation should reference the correct path.
Observed Behavior
Attestation step fails because ./sbom/dependency-sbom.spdx.json does not exist — the file was downloaded to ./dist instead.
Reproduction
Run the stable release workflow (release-stable.yml) end-to-end. The attestation step in the publish-github-release job fails.