From bd35099c2451bb39de6df33fbf6ff612cd5490f8 Mon Sep 17 00:00:00 2001
From: Ali <gth@sunmail.uk>
Date: Sun, 29 Jun 2025 21:54:59 +0100
Subject: [PATCH] Add combined SHA256 GitHub Action

---
 .github/workflows/checksum.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml
index 3110cee..48baed4 100644
--- a/.github/workflows/checksum.yml
+++ b/.github/workflows/checksum.yml
@@ -1,5 +1,9 @@
 name: Generate & Attach SHA256 Checksum
 
+permissions:
+  contents: write
+  releases: write
+
 on:
   push:
     branches: [main]
@@ -13,9 +17,22 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v4
 
+      - name: Check Script Existence
+        run: |
+          if [ ! -f setup_harden_debian_ubuntu.sh ]; then
+            echo "Error: setup_harden_debian_ubuntu.sh not found in repository root."
+            exit 1
+          fi
+
+      - name: Clean Existing Checksum
+        if: github.event_name == 'release'
+        run: |
+          rm -f setup_harden_debian_ubuntu.sh.sha256
+
       - name: Generate SHA256
         run: |
           sha256sum setup_harden_debian_ubuntu.sh > setup_harden_debian_ubuntu.sh.sha256
+          echo "Generated checksum: $(cat setup_harden_debian_ubuntu.sh.sha256)"
 
       - name: Commit SHA256 (only on push to main)
         if: github.event_name == 'push'
@@ -29,7 +46,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SHA256 to GitHub Release (only on release)
-        if: github.event_name == 'release'
+        if: github.event_name == 'release' && github.event.action == 'published'
         uses: softprops/action-gh-release@v1
         with:
           files: setup_harden_debian_ubuntu.sh.sha256