fix: hardcode Microsoft SBOM tool checksum (#22)

- Microsoft doesn't provide .sha256 files for their releases
- Use hardcoded SHA256 checksum for v4.1.2
- Remove reference to non-existent .sha256 file in cleanup

Author: ramonclaudio

.github/workflows/publish.yml

@@ -132,16 +132,16 @@ jobs:
         run: |
           # Download and verify Microsoft SBOM tool
           curl -LO https://github.com/microsoft/sbom-tool/releases/download/v4.1.2/sbom-tool-linux-x64
-          curl -LO https://github.com/microsoft/sbom-tool/releases/download/v4.1.2/sbom-tool-linux-x64.sha256
-          sha256sum -c sbom-tool-linux-x64.sha256
+          # Verify against known checksum (Microsoft doesn't provide .sha256 files)
+          echo "0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5  sbom-tool-linux-x64" | sha256sum -c
           chmod +x sbom-tool-linux-x64
           
           # Generate Microsoft SBOM
           ./sbom-tool-linux-x64 generate -b . -bc . -pn create-claude -pv $VERSION -ps RMNCLDYO -nsb https://github.com/RMNCLDYO/create-claude
           mv _manifest/spdx_2.2/manifest.spdx.json "create-claude-$VERSION.ms-spdx.json"
           
           # Cleanup
-          rm -rf _manifest sbom-tool-linux-x64 sbom-tool-linux-x64.sha256
+          rm -rf _manifest sbom-tool-linux-x64
           
       - name: Sign all SBOMs and attestations
         run: |