ci: separate checksums from artifacts

.github/workflows/ci-prepare-release.yml

@@ -92,27 +92,27 @@ jobs:
         working-directory: artifacts
         env:
           version: ${{ inputs.version }}
-        run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../artifacts/pulumi-${version}-checksums.txt"
+        run: sha256sum ./pulumi-*.{tar.gz,zip} | sed 's/.\///' | tee "../sums.tmp/pulumi-${version}-checksums.txt"
 
       - name: Checksums with BLAKE3
         working-directory: artifacts
-        run: b3sum ./* | sed 's/.\///' | tee ../artifacts/B3SUMS
+        run: b3sum ./* | sed 's/.\///' | tee ../sums.tmp/B3SUMS
 
       - name: Checksums with SHA512
         working-directory: artifacts
-        run: sha512sum ./* | sed 's/.\///' | tee ../artifacts/SHA512SUMS
+        run: sha512sum ./* | sed 's/.\///' | tee ../sums.tmp/SHA512SUMS
 
       - name: Sign binaries and checksums
-        working-directory: artifacts
         shell: bash
         env:
           version: ${{ inputs.version }}
         run: |
           ls -la
-          for file in *; do
+          # Sign all artifacts and checksums:
+          for file in ./{artifacts,sums.tmp}/*; do
               echo "$file"
               COSIGN_EXPERIMENTAL=1 cosign sign-blob \
-                --bundle="${file}".sig  \
+                --bundle="./sums.tmp/${file}".sig  \
                 "${file}"
           done
 
@@ -121,10 +121,7 @@ jobs:
           name: artifacts-signatures
           retention-days: 1
           path: |
-            artifacts/*.sig
-            artifacts/B3SUMS
-            artifacts/SHA512SUMS
-            artifacts/pulumi-*-checksums.txt
+            sums.tmp/*
           if-no-files-found: error
 
   publish:
@@ -168,6 +165,7 @@ jobs:
       - name: Flatten artifact directories
         run: |
           mkdir -p ./artifacts
+          mkdir -p ./sums.tmp
           mv ./artifacts.tmp/artifacts-*/* ./artifacts
       - uses: ncipollo/release-action@3d2de22e3d0beab188d8129c27f103d8e91bf13a
         with: