sha256sum files incompatable with shasum -c

[JonathanDoughty]

As implemented by Generate .sha256sum files for release artifacts the resulting .sha256sum files do not meet the requirements of macOS's shasum -c / --check nor the corresponding option in Linux's shasum and sha256sum commands. Currently the sha256sum files contain absolute paths like /{Users,home}/runner/work/just/just/dist/just-$VERSION-$TARGET.tar.gz which will not exist for users wanting to easily verify downloads' hash values.

Since the bin/package script does a cd $DIST before generating the hash value, a suggested fix is rather than
shasum -a 256 $ARCHIVE > $ARCHIVE.sha256sum
to use shell parameter expansion to remove $DIST from the beginning of the full $ARCHIVE path:
shasum -a 256 ${ARCHIVE#$DIST/} > $ARCHIVE.sha256sum

I've minimally tested that and it seems to do the right thing so that shasum --check *.sha256sum and sha256sum --check *.sha256sum verify the corresponding tar.gz's hash when both are downloaded into the same directory, as is likely typical of most users. To eliminate any user confusion on Windows I suggest doing the same for that target's sha256sum file as well, assuming certutil won't know what to do about the */d/a/just/just/dist/ path in the corresponding sha256sum file.

[casey]

This was actually fixed in #2358, but I haven't done another release since. Just released 1.36.0, which has correct shasum files with relative paths:

https://github.com/casey/just/releases/tag/1.36.0

[casey]

Just a heads up for anyone using the shasum files: In #2417 I changed the release workflow to generate a single SHA256SUM file, instead of a .shas56sum file for each artifact. So for upcoming releases, you'll need to download the SHA256SUM file, and run shasum -a 256 -c SHA256SUM --ignore-missing.