From cb3333fe2be65436bc65534c5a40ad7f014d933e Mon Sep 17 00:00:00 2001
From: Beon de Nood <beon@bigdune.net>
Date: Fri, 27 Mar 2026 18:52:27 -0400
Subject: [PATCH] feat(security): add SHA-256 checksums to release artifacts
 (B5)

- Generate checksums.txt with SHA-256 for all release binaries
- Publish checksums.txt as release asset alongside binaries
- Enables downstream SDK integrity verification
---
 .github/workflows/release.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index beb3f2e..53d2258 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,6 +34,9 @@ jobs:
       - name: Build Windows
         run: GOOS=windows GOARCH=amd64 go build -o capiscio-windows-amd64.exe ./cmd/capiscio
 
+      - name: Generate checksums
+        run: sha256sum capiscio-linux-amd64 capiscio-darwin-amd64 capiscio-darwin-arm64 capiscio-windows-amd64.exe > checksums.txt
+
       - name: Create Release
         uses: softprops/action-gh-release@v1
         with:
@@ -43,6 +46,7 @@ jobs:
             capiscio-darwin-amd64
             capiscio-darwin-arm64
             capiscio-windows-amd64.exe
+            checksums.txt
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}