fix(workflows): decouple SBOM artifact name from internal filename

[WilliamBerryiii]

Description

Fixes the SBOM Dependency Diff failure in the stable and prerelease release pipelines.

anchore/sbom-action uses artifact-name as both the GitHub Actions artifact name and the filename inside the artifact. With artifact-name: sbom-dependencies, the file stored inside the artifact was named sbom-dependencies (no extension) instead of dependencies.spdx.json. Downstream jobs (sbom-diff, attest-and-upload) download the artifact and look for dependencies.spdx.json — file not found.

Fix: Disable sbom-action's built-in upload (upload-artifact: false), add an explicit actions/upload-artifact step that uploads the correctly-named local file dependencies.spdx.json as artifact sbom-dependencies. Applied identically to both release-stable.yml and release-prerelease.yml.

Related Issue(s)

Fixes the v3.2.1 release failure in PR #1166, run #85.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature with breaking side effects)
• Documentation update
• GitHub Actions workflow
• Linting or code quality tooling
• Security hardening
• DevContainer or environment configuration
• Dependency update
• Instructions (.instructions.md)
• Prompt (.prompt.md)
• Agent (.agent.md)
• Skill (SKILL.md)

Testing

• Verified with actionlint — no errors in either workflow file.
• Verified with npm run lint:yaml — no YAML lint errors.
• Confirmed the fix covers all 11 downstream jobs (10 attest-and-upload matrix entries + sbom-diff).

Checklist

Required Checks

• Documentation is updated (if applicable)
• Naming conventions followed per instructions
• Backwards compatibility considered
• Tests added/updated (if applicable)

Required Automated Checks

• npm run lint:md
• npm run spell-check
• npm run lint:frontmatter
• npm run validate:skills
• npm run lint:md-links
• npm run lint:ps
• npm run plugin:generate

Security Considerations

• No sensitive data (API keys, tokens, passwords) included
• Dependencies have been reviewed for security vulnerabilities
• Principle of least privilege followed for any permission changes

No new dependencies introduced. Workflow permissions unchanged. The explicit upload-artifact step uses the same SHA-pinned action already present elsewhere in the pipeline.

Additional Notes

The per-VSIX SBOM uploads (e.g., sbom-ado, sbom-hve-core-all) are unaffected because no downstream job downloads those artifacts by filename.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.89%. Comparing base (671f798) to head (6ac934d).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1178      +/-   ##
==========================================
- Coverage   86.90%   86.89%   -0.02%     
==========================================
  Files          59       59              
  Lines        8774     8774              
==========================================
- Hits         7625     7624       -1     
- Misses       1149     1150       +1     

Flag	Coverage Δ
pester	85.32% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Dependency Review Summary

The full dependency review summary was too large to display here (1555KB, limit is 1024KB).

Please download the artifact named "dependency-review-summary" to view the complete report.

View full job summary