From b26812b67e85a2bf48ca35f8832237992a5261c0 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 27 Apr 2026 10:07:35 -0600
Subject: [PATCH 1/8] publish azh-latest-version to s3

---
 .github/workflows/publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 20bba84..9358802 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -153,6 +153,7 @@ jobs:
 
       - name: Upload Artifacts to S3
         run: |
+          echo "${{ env.AZUREHOUND_VERSION }}" > zipped/azh-latest-version
           aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}
 
   containerize:

From ea18420a1c91359ca0c744b00296d08f31feb71b Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 27 Apr 2026 10:25:34 -0600
Subject: [PATCH 2/8] move azh-latest-version to separate step

---
 .github/workflows/publish.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 9358802..574c4ce 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -153,9 +153,12 @@ jobs:
 
       - name: Upload Artifacts to S3
         run: |
-          echo "${{ env.AZUREHOUND_VERSION }}" > zipped/azh-latest-version
           aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}
 
+      - name: Upload Latest Version to S3
+        run: |
+          echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp - s3://${{ secrets.BHE_AWS_BUCKET }}/azh-latest-version
+
   containerize:
     runs-on: ubuntu-latest
     permissions:

From 6d7fed6d4e7bd80b2e21a2011adac796c8ea5386 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 27 Apr 2026 10:30:56 -0600
Subject: [PATCH 3/8] only if not pre-release

---
 .github/workflows/publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 574c4ce..ef1ce3e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -156,6 +156,7 @@ jobs:
           aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}
 
       - name: Upload Latest Version to S3
+        if: ${{ !contains(env.AZUREHOUND_VERSION, '-') }}
         run: |
           echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp - s3://${{ secrets.BHE_AWS_BUCKET }}/azh-latest-version
 

From 4e019f471efdefd313d1abd1dfac26dc7335b3c3 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Tue, 28 Apr 2026 09:25:51 -0600
Subject: [PATCH 4/8] write checksum without relative directory

---
 .github/workflows/publish.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ef1ce3e..fa5a0b8 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -149,7 +149,8 @@ jobs:
 
       - name: Checksum Zipped Files
         run: |
-          sha256sum zipped/${{ env.FILE_NAME }}.zip > zipped/${{ env.FILE_NAME }}.zip.sha256
+          cd zipped
+          sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256
 
       - name: Upload Artifacts to S3
         run: |

From d831712685784d1f1296eb279cdc3693adec73ad Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 11 May 2026 10:05:13 -0600
Subject: [PATCH 5/8] test publish marker file

---
 .github/workflows/publish.yml     |  7 +++----
 .github/workflows/test-upload.yml | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/test-upload.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index fa5a0b8..19f1997 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -149,8 +149,7 @@ jobs:
 
       - name: Checksum Zipped Files
         run: |
-          cd zipped
-          sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256
+          (cd zipped && sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256)
 
       - name: Upload Artifacts to S3
         run: |
@@ -159,7 +158,7 @@ jobs:
       - name: Upload Latest Version to S3
         if: ${{ !contains(env.AZUREHOUND_VERSION, '-') }}
         run: |
-          echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp - s3://${{ secrets.BHE_AWS_BUCKET }}/azh-latest-version
+          echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp - s3://${{ secrets.BHE_AWS_BUCKET }}/azurehound-latest-version
 
   containerize:
     runs-on: ubuntu-latest
@@ -202,4 +201,4 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           push: true
           secrets: |
-            GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}
+            GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}
\ No newline at end of file
diff --git a/.github/workflows/test-upload.yml b/.github/workflows/test-upload.yml
new file mode 100644
index 0000000..825b441
--- /dev/null
+++ b/.github/workflows/test-upload.yml
@@ -0,0 +1,21 @@
+name: Test Upload
+
+on:
+  workflow_dispatch:
+
+jobs:
+  test-upload-version:
+    runs-on: ubuntu-22.04 # INFO: https://docs.digicert.com/en/digicert-keylocker/code-signing/sign-with-third-party-signing-tools/windows-applications/sign-authenticode-files-with-osslsigncode-using-openssl-pkcs11-engine.html#a-note-for-ubuntu-users-488674
+    env:
+      AZUREHOUND_VERSION: v2.12.1
+    steps:
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/configure-aws-credentials@v6
+        with:
+          aws-access-key-id: ${{ secrets.BHE_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.BHE_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Upload Latest Version to S3
+        if: ${{ !contains(env.AZUREHOUND_VERSION, '-') }}
+        run: |
+          echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp - s3://${{ secrets.BHE_AWS_BUCKET }}/azurehound-latest-version
\ No newline at end of file

From 5b71a59f0d1fbe7dcc65de5a3f01c8daa84940b0 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 11 May 2026 10:37:42 -0600
Subject: [PATCH 6/8] trigger test workflow on push

---
 .github/workflows/test-upload.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test-upload.yml b/.github/workflows/test-upload.yml
index 825b441..5eda05b 100644
--- a/.github/workflows/test-upload.yml
+++ b/.github/workflows/test-upload.yml
@@ -2,6 +2,9 @@ name: Test Upload
 
 on:
   workflow_dispatch:
+  push:
+    branches:
+      - lfalslev/bed-7545
 
 jobs:
   test-upload-version:

From 59b9a1dd10dbd3f1f90c8be7509477bb44d1e393 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 11 May 2026 12:41:53 -0600
Subject: [PATCH 7/8] remove test workflow

---
 .github/workflows/test-upload.yml | 24 ------------------------
 1 file changed, 24 deletions(-)
 delete mode 100644 .github/workflows/test-upload.yml

diff --git a/.github/workflows/test-upload.yml b/.github/workflows/test-upload.yml
deleted file mode 100644
index 5eda05b..0000000
--- a/.github/workflows/test-upload.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Test Upload
-
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - lfalslev/bed-7545
-
-jobs:
-  test-upload-version:
-    runs-on: ubuntu-22.04 # INFO: https://docs.digicert.com/en/digicert-keylocker/code-signing/sign-with-third-party-signing-tools/windows-applications/sign-authenticode-files-with-osslsigncode-using-openssl-pkcs11-engine.html#a-note-for-ubuntu-users-488674
-    env:
-      AZUREHOUND_VERSION: v2.12.1
-    steps:
-      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/configure-aws-credentials@v6
-        with:
-          aws-access-key-id: ${{ secrets.BHE_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.BHE_AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: Upload Latest Version to S3
-        if: ${{ !contains(env.AZUREHOUND_VERSION, '-') }}
-        run: |
-          echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp - s3://${{ secrets.BHE_AWS_BUCKET }}/azurehound-latest-version
\ No newline at end of file

From acabcd879ab1a8b1e0b0c9787d091539d5ae43a0 Mon Sep 17 00:00:00 2001
From: Lucas Falslev <lfalslev@specterops.io>
Date: Mon, 11 May 2026 13:07:10 -0600
Subject: [PATCH 8/8] upload one version marker after all matrix signings
 complete

---
 .github/workflows/publish.yml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b91fffc..7995f0f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -155,6 +155,16 @@ jobs:
         run: |
           aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}
 
+  publish_latest_version_marker:
+    runs-on: ubuntu-latest
+    needs: sign
+    steps:
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # ratchet:aws-actions/configure-aws-credentials@v6
+        with:
+          aws-access-key-id: ${{ secrets.BHE_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.BHE_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
       - name: Upload Latest Version to S3
         if: ${{ !contains(env.AZUREHOUND_VERSION, '-') }}
         run: |
@@ -201,4 +211,4 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           push: true
           secrets: |
-            GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}
\ No newline at end of file
+            GIT_AUTH_TOKEN=${{ secrets.PACKAGE_SCOPE }}