From 4e664e62b5894eea1207384e5f75b94a07ee7ced Mon Sep 17 00:00:00 2001
From: Virgil <virgil@lethean.io>
Date: Wed, 1 Apr 2026 16:36:40 +0000
Subject: [PATCH] fix(release): restrict checksum artifact matching

Co-Authored-By: Virgil <virgil@lethean.io>
---
 pkg/release/release.go      |  2 +-
 pkg/release/release_test.go | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/pkg/release/release.go b/pkg/release/release.go
index 0dabc23..b35432d 100644
--- a/pkg/release/release.go
+++ b/pkg/release/release.go
@@ -212,7 +212,7 @@ func shouldPublishArchive(name string) bool {
 }
 
 func shouldPublishChecksum(name string) bool {
-	return core.HasSuffix(name, ".txt")
+	return name == "CHECKSUMS.txt"
 }
 
 func shouldPublishSignature(name string) bool {
diff --git a/pkg/release/release_test.go b/pkg/release/release_test.go
index 689e0a8..cc80307 100644
--- a/pkg/release/release_test.go
+++ b/pkg/release/release_test.go
@@ -71,6 +71,19 @@ func TestRelease_FindArtifacts_Good(t *testing.T) {
 		assert.Contains(t, artifacts[0].Path, "CHECKSUMS.txt")
 	})
 
+	t.Run("ignores unrelated text files", func(t *testing.T) {
+		dir := t.TempDir()
+		distDir := ax.Join(dir, "dist")
+		require.NoError(t, ax.MkdirAll(distDir, 0755))
+
+		require.NoError(t, ax.WriteFile(ax.Join(distDir, "release-notes.txt"), []byte("notes"), 0644))
+
+		artifacts, err := findArtifacts(io.Local, distDir)
+		require.NoError(t, err)
+
+		assert.Empty(t, artifacts)
+	})
+
 	t.Run("finds signature files", func(t *testing.T) {
 		dir := t.TempDir()
 		distDir := ax.Join(dir, "dist")