fix: flatten MSI directory structure to match binaries job

GoReleaser Pro puts MSI files in dist/msi/<name>/ subdirectory. Instead of
adding complexity to handle subdirectories, copy all files to dist root
right after GoReleaser runs. This matches the binaries job pattern.

Changes:
- Add flatten step after GoReleaser to copy MSI files to dist root
- Simplify provenance generation to single loop for zip and msi
- Simplify SBOM signing to use dist root glob (no recursive search)
- Simplify manifest generator to use Glob instead of Walk
- Update docs with complete S3 file structure for all attestations

Author: gontzess

.github/workflows/release.yaml

@@ -454,6 +454,20 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.RELENG_GITHUB_TOKEN }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_PRO_KEY }}
 
+      - name: Flatten MSI directory structure
+        shell: pwsh
+        run: |
+          # GoReleaser Pro puts MSI files in dist/msi/<name>/ subdirectory
+          # Copy all files to dist root to match binaries job pattern
+          $msiDir = "_caller/dist/msi"
+          if (Test-Path $msiDir) {
+            Get-ChildItem $msiDir -Recurse -File | ForEach-Object {
+              Write-Host "Copying $($_.Name) to dist root"
+              Copy-Item $_.FullName -Destination "_caller/dist/"
+            }
+            Write-Host "✅ Flattened MSI directory structure"
+          }
+
       - name: Generate SLSA provenance for Windows artifacts
         working-directory: _workflows
         shell: bash
@@ -464,8 +478,9 @@ jobs:
 
           PROVENANCE_COUNT=0
 
-          # Find all downloadable archives (zip files)
-          for artifact in "${CALLER_DIST}"/*.zip; do
+          # Find all downloadable archives (zip and msi files)
+          # MSI files are flattened to dist root by previous step
+          for artifact in "${CALLER_DIST}"/*.zip "${CALLER_DIST}"/*.msi; do
             [ -f "$artifact" ] || continue
             [[ "$artifact" == *checksums* ]] && continue
 
@@ -481,20 +496,6 @@ jobs:
             ((PROVENANCE_COUNT++)) || true
           done
 
-          # Find MSI files (in dist/msi/<name>/<name>.msi subdirectory)
-          while IFS= read -r -d '' artifact; do
-            BASENAME=$(basename "$artifact")
-            echo "Generating provenance for: $BASENAME"
-            cosign attest-blob \
-              --yes \
-              --predicate "_generated/predicate.json" \
-              --type slsaprovenance1 \
-              --bundle "${CALLER_DIST}/${BASENAME}.provenance.sigstore.json" \
-              "$artifact" > /dev/null
-            echo "✅ Created ${BASENAME}.provenance.sigstore.json"
-            ((PROVENANCE_COUNT++)) || true
-          done < <(find "${CALLER_DIST}" -name "*.msi" -print0)
-
           echo "Generated provenance bundles: ${PROVENANCE_COUNT}"
           if [ "$PROVENANCE_COUNT" -eq 0 ]; then
             echo "::error::No provenance bundles were generated - this indicates a build problem"
@@ -513,6 +514,7 @@ jobs:
           SIGNED_COUNT=0
 
           # Find all SBOM files generated by GoReleaser (syft)
+          # All files are in dist root (MSI files flattened by previous step)
           for sbom in "${CALLER_DIST}"/*.sbom.json; do
             [ -f "$sbom" ] || continue
 

cmd/generate-windows-manifest/main.go

@@ -69,30 +69,26 @@ func main() {
 		fmt.Fprintf(os.Stderr, "✅ Added zip asset: windows-amd64 -> %s\n", filename)
 	}
 
-	// Find and process MSI files (GoReleaser puts these in dist/msi/<name>/<name>.msi)
-	err = filepath.Walk(distDir, func(path string, info os.FileInfo, err error) error {
-		if err != nil {
-			return err
-		}
-		if info.IsDir() || !strings.HasSuffix(info.Name(), ".msi") {
-			return nil
-		}
+	// Find and process MSI files (flattened to dist root by workflow)
+	msiFiles, err := filepath.Glob(filepath.Join(distDir, "*.msi"))
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "generate-windows-manifest: error finding MSI files: %v\n", err)
+		os.Exit(1)
+	}
 
-		filename := info.Name()
-		asset, err := buildAsset(path, filename, "application/x-msi", baseURL, distDir)
+	for _, msiPath := range msiFiles {
+		filename := filepath.Base(msiPath)
+
+		asset, err := buildAsset(msiPath, filename, "application/x-msi", baseURL, distDir)
 		if err != nil {
-			return fmt.Errorf("processing %s: %w", filename, err)
+			fmt.Fprintf(os.Stderr, "generate-windows-manifest: error processing %s: %v\n", filename, err)
+			os.Exit(1)
 		}
 
 		// MSI uses key "windows-amd64-msi"
 		// MSI has cosign signatures and attestations; Azure Trusted Signing (Windows code signing) planned for Stage 2
 		assets["windows-amd64-msi"] = asset
 		fmt.Fprintf(os.Stderr, "✅ Added MSI asset: windows-amd64-msi -> %s\n", filename)
-		return nil
-	})
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "generate-windows-manifest: error walking dist directory: %v\n", err)
-		os.Exit(1)
 	}
 
 	// Marshal assets map to JSON
@@ -138,7 +134,7 @@ func buildAsset(filePath, filename, mediaType, baseURL, distDir string) (*pb.Ass
 	sizeBytes := info.Size()
 	href := fmt.Sprintf("%s/%s", baseURL, filename)
 
-	// Check for signature and certificate files
+	// Check for signature and certificate files (all in dist root after flatten step)
 	var signatureHref, certificateHref *string
 	sigPath := filepath.Join(distDir, filename+".sig")
 	if _, err := os.Stat(sigPath); err == nil {

docs/release-workflow.md

@@ -186,13 +186,25 @@ releases/{org}/{repo}/{tag}/
 ├── baton-foo_1.0.0_checksums.txt.sig
 ├── baton-foo_1.0.0_checksums.txt.cert
 ├── baton-foo-v1.0.0-darwin-arm64.zip
+├── baton-foo-v1.0.0-darwin-arm64.zip.sig
+├── baton-foo-v1.0.0-darwin-arm64.zip.cert
 ├── baton-foo-v1.0.0-darwin-arm64.zip.provenance.sigstore.json
 ├── baton-foo-v1.0.0-darwin-arm64.zip.sbom.sigstore.json
 ├── baton-foo-v1.0.0-linux-amd64.tar.gz
+├── baton-foo-v1.0.0-linux-amd64.tar.gz.sig
+├── baton-foo-v1.0.0-linux-amd64.tar.gz.cert
 ├── baton-foo-v1.0.0-linux-amd64.tar.gz.provenance.sigstore.json
+├── baton-foo-v1.0.0-linux-amd64.tar.gz.sbom.sigstore.json
 ├── baton-foo-v1.0.0-windows-amd64.zip
+├── baton-foo-v1.0.0-windows-amd64.zip.sig
+├── baton-foo-v1.0.0-windows-amd64.zip.cert
 ├── baton-foo-v1.0.0-windows-amd64.zip.provenance.sigstore.json
+├── baton-foo-v1.0.0-windows-amd64.zip.sbom.sigstore.json
 ├── baton-foo_v1.0.0_windows_amd64.msi
+├── baton-foo_v1.0.0_windows_amd64.msi.sig
+├── baton-foo_v1.0.0_windows_amd64.msi.cert
+├── baton-foo_v1.0.0_windows_amd64.msi.provenance.sigstore.json
+├── baton-foo_v1.0.0_windows_amd64.msi.sbom.sigstore.json
 └── ...
 ```
 
@@ -202,7 +214,8 @@ releases/{org}/{repo}/{tag}/
 
 Use test connectors for validation:
 
-- `ConductorOne/baton-github-test` - Full release testing
+- `ConductorOne/baton-runner` - Default WXS template testing
+- `ConductorOne/baton-github-test` - Custom WXS template testing (via `msi_wxs_path`)
 
 ### Testing Process