From d43e358e863b01e52583a7bea51f398f6a8da3b6 Mon Sep 17 00:00:00 2001
From: Kody Stribrny <kstribrn@amazon.com>
Date: Mon, 30 Mar 2026 16:26:47 -0700
Subject: [PATCH 1/2] Remove github_token input

Inputs need to be literal, static values.
Instead we should simply use `${{ secrets.GITHUB_TOKEN }}`
which is resolved at runtime
---
 .github/workflows/auto-release.yml | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index c1786ac227..664f5db719 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -15,10 +15,6 @@ on:
         description: "Version String for task.h on main branch (leave empty to leave as-is)."
         required: false
         default: ''
-      github_token:
-        description: 'GitHub token for creating releases and pushing changes'
-        required: false
-        default: ${{ github.token }}
 
 jobs:
   release-packager:
@@ -35,7 +31,7 @@ jobs:
         with:
           architecture:   x64
         env:
-          GITHUB_TOKEN: ${{ github.event.inputs.github_token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install GitHub CLI
         run: |
@@ -90,7 +86,7 @@ jobs:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
           COMMIT_SHA_1: ${{ env.COMMIT_SHA_1 }}
-          GITHUB_TOKEN: ${{ github.event.inputs.github_token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Install deps and run
           pip install -r ./tools/.github/scripts/release-requirements.txt
@@ -126,7 +122,7 @@ jobs:
       - name: Create pull request
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
-          GH_TOKEN: ${{ github.event.inputs.github_token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO_FULL_NAME: ${{ github.repository }}
         working-directory: ./local_kernel
         run: |
@@ -140,7 +136,7 @@ jobs:
 
       - name: Wait for PR to be merged
         env:
-          GH_TOKEN: ${{ github.event.inputs.github_token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           REPO_FULL_NAME: ${{ github.repository }}
         working-directory: ./local_kernel
         run: |
@@ -179,7 +175,7 @@ jobs:
       - name: Commit SBOM file
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
-          GITHUB_TOKEN: ${{ github.event.inputs.github_token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         working-directory: ./local_kernel
         run: |
           git add .
@@ -193,7 +189,7 @@ jobs:
           MAIN_BR_VERSION_NUMBER: ${{ github.event.inputs.main_br_version }}
           COMMIT_SHA_2: ${{ env.COMMIT_SHA_2 }}
           REPO_OWNER: ${{ github.repository_owner }}
-          GITHUB_TOKEN: ${{ github.event.inputs.github_token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Install deps and run
           pip install -r ./tools/.github/scripts/release-requirements.txt
@@ -212,7 +208,7 @@ jobs:
         if: always()
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
-          GH_TOKEN: ${{ github.event.inputs.github_token }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         working-directory: ./local_kernel
         run: |
           # Only delete release-prep branch if the PR was already merged

From 35ba94246fff5eece082cb4befdeb23c49ae154b Mon Sep 17 00:00:00 2001
From: Kody Stribrny <kstribrn@amazon.com>
Date: Mon, 30 Mar 2026 16:38:39 -0700
Subject: [PATCH 2/2] Copy over generated SBOM files

The SBOM generator currently outputs the files
at the workspace root.
---
 .github/workflows/auto-release.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml
index 664f5db719..3759e5f482 100644
--- a/.github/workflows/auto-release.yml
+++ b/.github/workflows/auto-release.yml
@@ -176,11 +176,17 @@ jobs:
         env:
           VERSION_NUMBER: ${{ github.event.inputs.version_number }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        working-directory: ./local_kernel
         run: |
+          # SBOM generator writes files to the workspace root — copy them into the repo
+          cp *SPDX* ./local_kernel/ 2>/dev/null || cp *spdx* ./local_kernel/ 2>/dev/null || true
+          cd ./local_kernel
           git add .
-          git commit -m '[AUTO][RELEASE]: Update SBOM'
-          git push -u origin "$VERSION_NUMBER"
+          if git diff --cached --quiet; then
+            echo "No SBOM changes to commit."
+          else
+            git commit -m '[AUTO][RELEASE]: Update SBOM'
+            git push -u origin "$VERSION_NUMBER"
+          fi
           echo "COMMIT_SHA_2=$(git rev-parse HEAD)" >> $GITHUB_ENV
 
       - name: Release