fix: clarify sync step

Author: rcarcasses

.github/workflows/enrich-release-notes.yml

@@ -0,0 +1,98 @@
+name: Enrich Release Notes
+
+on:
+  release:
+    types:
+      - published
+
+permissions:
+  contents: write
+
+jobs:
+  format:
+    name: Format published release
+    runs-on: ubuntu-latest
+    if: ${{ github.event.release.draft == false }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.release.tag_name }}
+
+      - name: Update release body with install instructions
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+          TAG_NAME: ${{ github.event.release.tag_name }}
+          RAW_VERSION: ${{ github.event.release.tag_name }}
+          RELEASE_BODY: ${{ github.event.release.body }}
+        run: |
+          set -euo pipefail
+
+          version="${RAW_VERSION#v}"
+          tar_url="https://github.com/${REPOSITORY}/archive/refs/tags/${TAG_NAME}.tar.gz"
+          tmp_archive="$(mktemp)"
+          curl -sSL "${tar_url}" -o "${tmp_archive}"
+          sha256="$(shasum -a 256 "${tmp_archive}" | cut -d ' ' -f1)"
+          rm "${tmp_archive}"
+          export SHA256="${sha256}"
+
+          python - <<'PY' > release-body.md
+import os, textwrap
+
+repo = os.environ["REPOSITORY"]
+tag = os.environ["TAG_NAME"]
+version = os.environ["RAW_VERSION"].lstrip("v")
+tar_url = f"https://github.com/{repo}/archive/refs/tags/{tag}.tar.gz"
+sha256 = os.environ["SHA256"]
+existing = os.environ.get("RELEASE_BODY", "").strip()
+
+body = textwrap.dedent(f"""\
+## Install with Bzlmod
+
+Add to your `MODULE.bazel`:
+
+```starlark
+bazel_dep(name = "rules_sbom", version = "{version}")
+
+load("@rules_sbom//sbom:setup.bzl", "rules_sbom_setup")
+syft_repo = use_repo_rule("@rules_sbom//sbom:repositories.bzl", "syft_repository")
+rules_sbom_setup(syft_repo)
+```
+
+## Install with a WORKSPACE
+
+Download and pin the release archive:
+
+- URL: `{tar_url}`
+- SHA256: `{sha256}`
+
+Then in your `WORKSPACE` file:
+
+```starlark
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+http_archive(
+    name = "rules_sbom",
+    urls = ["{tar_url}"],
+    strip_prefix = "rules_sbom-{version}",
+    sha256 = "{sha256}",
+)
+
+load("@rules_sbom//sbom:repositories.bzl", "syft_repository")
+load("@rules_sbom//sbom:setup.bzl", "rules_sbom_setup")
+
+rules_sbom_setup(syft_repository)
+```
+
+See [docs/overview.md](https://github.com/{repo}/blob/{tag}/docs/overview.md) for advanced configuration options.
+
+---
+
+{existing}
+""")
+
+print(body)
+PY
+
+          gh release edit "${TAG_NAME}" --notes-file release-body.md

.github/workflows/release.yml

@@ -15,8 +15,7 @@ jobs:
     name: Create Release Pull Request
     runs-on: ubuntu-latest
     steps:
-      - id: release
-        uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@v4
         with:
           pull-request-header: |
             ## Release Preview
@@ -26,67 +25,3 @@ jobs:
             ---
 
             Once merged, Release Please will tag `v${version}` and publish the GitHub release automatically.
-      - name: Enrich release notes with install instructions
-        if: steps.release.outputs.release_created == 'true'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TAG_NAME: ${{ steps.release.outputs.tag_name }}
-          VERSION: ${{ steps.release.outputs.version }}
-          REPOSITORY: ${{ github.repository }}
-        run: |
-          set -euo pipefail
-
-          TAR_URL="https://github.com/${REPOSITORY}/archive/refs/tags/${TAG_NAME}.tar.gz"
-          TMP_ARCHIVE="$(mktemp)"
-          curl -sSL "${TAR_URL}" -o "${TMP_ARCHIVE}"
-          SHA256="$(shasum -a 256 "${TMP_ARCHIVE}" | cut -d ' ' -f1)"
-          rm "${TMP_ARCHIVE}"
-
-          EXISTING_BODY="$(gh release view "${TAG_NAME}" --json body --jq '.body')"
-
-          cat > release-body.md <<EOF
-## Install with Bzlmod
-
-Add to your \`MODULE.bazel\`:
-
-\`\`\`starlark
-bazel_dep(name = "rules_sbom", version = "${VERSION}")
-
-load("@rules_sbom//sbom:setup.bzl", "rules_sbom_setup")
-syft_repo = use_repo_rule("@rules_sbom//sbom:repositories.bzl", "syft_repository")
-rules_sbom_setup(syft_repo)
-\`\`\`
-
-## Install with a WORKSPACE
-
-Download and pin the release archive:
-
-- URL: \`${TAR_URL}\`
-- SHA256: \`${SHA256}\`
-
-Then in your \`WORKSPACE\` file:
-
-\`\`\`starlark
-load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
-
-http_archive(
-    name = "rules_sbom",
-    urls = ["${TAR_URL}"],
-    strip_prefix = "rules_sbom-${VERSION}",
-    sha256 = "${SHA256}",
-)
-
-load("@rules_sbom//sbom:repositories.bzl", "syft_repository")
-load("@rules_sbom//sbom:setup.bzl", "rules_sbom_setup")
-
-rules_sbom_setup(syft_repository)
-\`\`\`
-
-See [docs/overview.md](https://github.com/${REPOSITORY}/blob/${TAG_NAME}/docs/overview.md) for advanced configuration options.
-
----
-
-${EXISTING_BODY}
-EOF
-
-          gh release edit "${TAG_NAME}" --notes-file release-body.md

README.md

@@ -51,4 +51,4 @@ Once changes land on `main`, the GitHub action opens a release PR. Merging that
 
 If you need to double-check a release manually, re-run the `Release Please` workflow from the Actions tab; it will only open a new PR when there are user-facing commits since the last tag.
 
-Use `bazel sync` after upgrading to ensure the Syft toolchain archives download for your host platform.
+Use `bazel sync` after upgrading to ensure the Syft toolchain archives download for your host platform; this refreshes the Syft binaries for the host OS/architecture.