chore: automatically bundle latest collector versions in docker image BED-7545

[lrfalslev]

Description

Update azurehound-latest-version marker file in s3 after new non-rc releases

Motivation and Context

This PR addresses: BED-7545

How Has This Been Tested?

Workflow ran and azurehound-latest-version contents validated.

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README BloodHound#672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Chores
  • Windows release checksums (SHA-256) are now automatically generated alongside release archives for download integrity verification.
  • Automated publishing of a "latest version" marker for stable (non-prerelease) releases has been added to support update mechanisms.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4d08269f-24dd-419c-85a8-23ea4edd01a2

📥 Commits

Reviewing files that changed from the base of the PR and between 59b9a1d and acabcd8.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/publish.yml

---

Walkthrough

The publish workflow now computes SHA-256 checksums from inside the zipped/ directory using relative paths, and adds a new publish_latest_version_marker job that uploads AZUREHOUND_VERSION to S3 as azurehound-latest-version when the tag is a stable release (no -).

Changes

Publish Workflow Enhancements

Layer / File(s)	Summary
Checksum step runs in zipped/ directory .github/workflows/publish.yml	Checksum command in the signing job now cd zipped/ before running sha256sum, producing *.zip.sha256 alongside artifacts using relative paths.
Publish latest-version marker to S3 .github/workflows/publish.yml	New publish_latest_version_marker job uploads AZUREHOUND_VERSION to S3 as azurehound-latest-version when the version tag does not include -.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A rabbit hops through CI with glee,
Checksums born where zips roam free,
A tiny marker sails to S3,
Stable versions told for all to see,
🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions bundling collector versions in docker image, but the actual changes involve updating a version marker file in S3 and modifying the checksum workflow step.	Update the title to accurately reflect the main changes: publishing version markers to S3 after releases and updating the checksum generation workflow.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch lfalslev/bed-7545

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 158-162: Move the "Upload Latest Version to S3" step out of the
matrix legs and into a new job named publish_latest_version_marker that has
needs: sign so it only runs after all sign matrix jobs succeed; in that job run
the same upload command (echo -n "${{ env.AZUREHOUND_VERSION }}" | aws s3 cp -
s3://${{ secrets.BHE_AWS_BUCKET }}/azurehound-latest-version) and keep the same
conditional check (if: ${{ !contains(env.AZUREHOUND_VERSION, '-') }}), set
runs-on (e.g., ubuntu-latest) and any required aws credentials/permissions, and
remove the original step from the matrix job so the marker is uploaded exactly
once after all signing legs finish successfully.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad79776e-95b5-4f69-97c4-c8a8ebd6cd2b

📥 Commits

Reviewing files that changed from the base of the PR and between 132897a and 59b9a1d.

📒 Files selected for processing (1)

• .github/workflows/publish.yml