One job to rule them all

Signed-off-by: nopeitsnothing <no@anonymousplanet.org>

.github/workflows/build-pdf.yml

@@ -1,143 +0,0 @@
-name: 📖 Build PDF
-
-on:
-  workflow_dispatch:
-  pull_request:
-    paths:
-      - "docs/**"
-      - "mkdocs.yml"
-      - "scripts/build_guide_pdf.py"
-      - ".github/workflows/build-pdf.yml"
-  push:
-    branches:
-      - main
-    paths:
-      - "docs/**"
-      - "mkdocs.yml"
-      - "scripts/build_guide_pdf.py"
-      - ".github/workflows/build-pdf.yml"
-
-permissions:
-  contents: write
-  id-token: write
-
-jobs:
-  pdf:
-    name: PDF build and sign
-    runs-on: ubuntu-latest
-    steps:
-      - name: 🛠️ Checkout
-        uses: actions/checkout@v4
-
-      - name: 🐍 Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: "3.13"
-
-      - name: 📦 Install MkDocs Material
-        run: pip install mkdocs-material
-
-      - name: Setup Chrome
-        uses: browser-actions/setup-chrome@v2
-        with:
-          chrome-version: 120
-          install-dependencies: true
-          install-chromedriver: true
-
-      - name: 🔑 Install GPG tools
-        run: |
-          sudo apt-get update
-          sudo apt-get install gnupg
-
-      - name: 🖨️ Build PDF
-        env:
-          CI: true
-        run: python scripts/build_guide_pdf.py --both
-
-      - name: 🔢 Generate SHA256 hashes for root directory
-        run: |
-          cd ${{ github.workspace }}
-          sha256sum export/thgtoa.pdf > sha256sum-light.txt
-          sha256sum export/thgtoa-dark.pdf >> sha256sum-light.txt
-
-          # Create separate hash files for each PDF
-          sha256sum export/thgtoa.pdf > thgtoa.pdf.sha256
-          sha256sum export/thgtoa-dark.pdf > thgtoa-dark.pdf.sha256
-
-      - name: 🔒 Sign PDFs with GPG key
-        env:
-          GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-        run: |
-          cd ${{ github.workspace }}
-
-          # Import GPG key
-          export GPG_TTY=$(tty)
-          echo "$GPG_KEY" | gpg --batch --import
-
-          # Verify the key was imported
-          gpg --list-secret-keys
-
-          # Sign the PDFs (detach signature)
-          gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf
-          gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf
-
-          # Also sign the hash files
-          gpg --batch --yes --armor --detach-sign --output sha256sum-light.txt.sig sha256sum-light.txt
-
-  upload:
-    name: Upload artifacts
-    runs-on: ubuntu-latest
-    needs: pdf
-    steps:
-      - name: 📤 Upload PDF artifact (Light Mode)
-        uses: actions/upload-artifact@v4
-        with:
-          name: light-pdf-files
-          path: |
-            export/thgtoa.pdf
-            export/thgtoa.pdf.sig
-            thgtoa.pdf.sha256
-          archive: false
-          if-no-files-found: error
-          retention-days: 90
-
-      - name: 📤 Upload PDF artifact (Dark Mode)
-        uses: actions/upload-artifact@v4
-        with:
-          name: dark-pdf-files
-          path: |
-            export/thgtoa-dark.pdf
-            export/thgtoa-dark.pdf.sig
-            thgtoa-dark.pdf.sha256
-          archive: false
-          if-no-files-found: error
-          retention-days: 90
-
-      - name: 📤 Upload combined hash file to root
-        uses: actions/upload-artifact@v4
-        with:
-          name: hash-files
-          path: |
-            sha256sum-light.txt
-          archive: false
-          if-no-files-found: error
-          retention-days: 90
-
-  release:
-    name: Create Release
-    runs-on: ubuntu-latest
-    needs: pdf
-    steps:
-      - name: 🚀 Create Release (if tag exists)
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
-        with:
-          files: |
-            export/thgtoa.pdf
-            export/thgtoa-dark.pdf
-            export/thgtoa.pdf.sig
-            export/thgtoa-dark.pdf.sig
-            sha256sum-light.txt
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-sign-release.yml

@@ -0,0 +1,146 @@
+name: 📖 Build & Sign PDFs
+
+on:
+  workflow_dispatch:
+    inputs:
+      build_mode:
+        description: 'PDF build mode'
+        required: true
+        default: 'both'
+        type: choice
+        options:
+          - light
+          - dark
+          - both
+  push:
+    branches:
+      - main
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - "scripts/**"
+      - ".github/workflows/**"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build-sign-release:
+    name: Build, Sign & Release PDFs
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🛠️ Checkout
+        uses: actions/checkout@v4
+
+      - name: 🐍 Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: 📦 Install MkDocs Material
+        run: pip install mkdocs-material
+
+      - name: Setup Chrome
+        uses: browser-actions/setup-chrome@v2
+        with:
+          chrome-version: 120
+          install-dependencies: true
+          install-chromedriver: true
+
+      - name: 🔑 Install GPG tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install gnupg
+
+      - name: 🖨️ Build PDFs
+        env:
+          CI: true
+        run: python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }}
+
+      - name: 🔒 Sign SHA256 hash file with GPG
+        env:
+          GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          cd ${{ github.workspace }}
+
+          # Import GPG key
+          export GPG_TTY=$(tty)
+          echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true
+
+
+
+      - name: 🔒 Sign PDF files with GPG
+        env:
+          GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          cd ${{ github.workspace }}
+
+          # Import GPG key if not already imported
+          export GPG_TTY=$(tty)
+          echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true
+
+          # Create combined hash file with all PDFs
+          sha256sum export/thgtoa.pdf > export/checksums.sha256
+          sha256sum export/thgtoa-dark.pdf >> export/checksums.sha256
+
+          # Sign the checksum file
+          gpg --batch --yes --armor --detach-sign --output export/checksums.sha256.sig export/checksums.sha256 2>/dev/null || true
+
+          # Sign each PDF file individually with detached signature
+          for pdf_file in export/*.pdf; do
+            if [ -f "$pdf_file" ]; then
+              base_name=$(basename "$pdf_file")
+              echo "Signing $base_name..."
+              gpg --default-key 17ECA05F768DEDF6 --batch --yes --armor --detach-sign --output "export/${pdf_file}.sig" "$pdf_file" 2>/dev/null || true
+            fi
+          done
+
+          # Verify signatures were created
+          ls -la export/*.sig 2>/dev/null || echo "No signature files found in export/"
+
+      - name: 🦠 Upload PDFs to VirusTotal
+        uses: crazy-max/ghaction-virustotal@v5
+        with:
+          vt_api_key: ${{ secrets.VT_API_KEY }}
+          files: |
+            ./export/thgtoa.pdf
+            ./export/thgtoa-dark.pdf
+
+      - name: 📊 Extract VT scan results
+        id: vt-scan
+        run: |
+          echo "status=completed" >> $GITHUB_OUTPUT
+
+      - name: 🔗 Generate VT report links
+        run: |
+          # Create a markdown file with VT scan results and links
+          cat > export/virus-total-results.md << EOF
+          ## VirusTotal Scan Results
+
+          **Scan Date:** \$(date -u +"%Y-%m-%d %H:%M UTC")
+
+          ### thgtoa.pdf (Light Mode)
+          - **VT Report:** https://www.virustotal.com/gui/file/\$(sha256sum export/thgtoa.pdf | cut -d' ' -f1)
+
+          ### thgtoa-dark.pdf (Dark Mode)
+          - **VT Report:** https://www.virustotal.com/gui/file/\$(sha256sum export/thgtoa-dark.pdf | cut -d' ' -f1)
+
+          ---
+          *Scan performed automatically by GitHub Actions*
+          EOF
+
+      - name: 📤 Upload export directory as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: pdf-export-${{ inputs.build_mode || 'both' }}
+          path: |
+            export/*.pdf
+            export/*.sig
+            export/*.sha256
+            export/virus-total-results.md
+          if-no-files-found: error
+          retention-days: 90
+          compression-level: 0

.github/workflows/vt-scan.yml

@@ -1,77 +0,0 @@
-name: '🦠 VirusTotal Scan'
-
-on:
-    workflow_dispatch:
-    push:
-      branches:
-        - 'main'
-      tags:
-        - 'v*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - name: '📦 Checkout'
-        uses: actions/checkout@v6
-
-      - name: '🔍 Download PDF artifacts from build workflow'
-        uses: actions/download-artifact@v7
-        with:
-          pattern: light-pdf-files,dark-pdf-files
-          path: pdfs
-          merge-multiple: true
-
-      - name: '🦠 Scan PDF files using VT'
-        uses: crazy-max/ghaction-virustotal@v5
-        with:
-          vt_api_key: ${{ secrets.VT_API_KEY }}
-          update_release_body: false  # We'll handle this manually in the next step
-          files: |
-            ./pdfs/thgtoa.pdf
-            ./pdfs/thgtoa-dark.pdf
-
-      - name: '📊 Extract VT scan results'
-        id: vt-scan
-        run: |
-          echo "status=completed" >> $GITHUB_OUTPUT
-
-      - name: '🔗 Generate VT report links'
-        run: |
-          # Create a markdown file with VT scan results and links
-          cat > vt-results.md << EOF
-          ## VirusTotal Scan Results
-
-          **Scan Date:** $(date -u +"%Y-%m-%d %H:%M UTC")
-
-          ### thgtoa.pdf (Light Mode)
-          - **VT Report:** https://www.virustotal.com/gui/file/$(sha256sum pdfs/thgtoa.pdf | cut -d' ' -f1)
-
-          ### thgtoa-dark.pdf (Dark Mode)
-          - **VT Report:** https://www.virustotal.com/gui/file/$(sha256sum pdfs/thgtoa-dark.pdf | cut -d' ' -f1)
-
-          ---
-          *Scan performed automatically by GitHub Actions*
-          EOF
-
-      - name: '📝 Update release with VT results (if tag exists)'
-        if: startsWith(github.ref, 'refs/tags/')
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_REPO: ${{ github.repository }}
-        run: |
-          # Get the latest release notes
-          RELEASE_NOTES=$(gh release view ${{ github.ref_name }} --json body --jq .body 2>/dev/null || echo "")
-
-          # Append VT results to release notes
-          if [ -n "$RELEASE_NOTES" ]; then
-            echo "" >> vt-results.md
-            echo "---" >> vt-results.md
-            echo "### Previous Release Notes" >> vt-results.md
-            echo "$RELEASE_NOTES" >> vt-results.md
-          fi
-
-          # Update the release with VT results
-          gh release edit ${{ github.ref_name }} --notes-file vt-results.md

scripts/pdf_release.sh

@@ -0,0 +1,365 @@
+!/bin/bash
+set -e
+
+# PDF Hashing, Scanning, Release and Management script (hSCRAM)
+# Usage: ./pdf_release.sh --build <light|dark|both> --release <tag|latest> [--vt-api-key]
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(dirname "$SCRIPT_DIR")"
+EXPORT_DIR="$ROOT_DIR/export"
+
+# Default values
+MODE="both"  # light, dark, or both
+RELEASE_MODE="tag"  # tag (e.g. "v2.1.2") or "latest"
+VT_API_KEY=""
+GITHUB_TOKEN=""
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --build)
+            MODE="$2"
+            shift 2
+            ;;
+        --release)
+            RELEASE_MODE="$2"
+            shift 2
+            ;;
+        --vt-api-key)
+            VT_API_KEY="$2"
+            shift 2
+            ;;
+        --github-token)
+            GITHUB_TOKEN="$2"
+            shift 2
+            ;;
+        *)
+            echo "Unknown option: $1"
+            exit 1
+            ;;
+    esac
+done
+
+if [[ ! "$MODE" =~ ^(light|dark|both)$ ]]; then
+    echo "Error: Invalid build mode '$MODE'. Must be 'light', 'dark', or 'both'."
+    exit 1
+fi
+
+echo "Hashing, Scanning, Release and Management script (hSCRAM)"
+echo "Mode: $MODE"
+echo "Release Mode: $RELEASE_MODE"
+
+generate_hash() {
+    local file="$1"
+    sha256sum "$file" | cut -d' ' -f1
+}
+
+create_hash_file() {
+    local pdf_path="$1"
+    local base_name=$(basename "$pdf_path")
+    local hash_file="${EXPORT_DIR}/${base_name}.sha256"
+
+    (cd "$EXPORT_DIR" && sha256sum "$base_name") > "$hash_file"
+    echo "Created: $hash_file"
+}
+
+scan_with_virustotal() {
+    local pdf_path="$1"
+    local base_name=$(basename "$pdf_path")
+
+    if [[ -z "$VT_API_KEY" ]]; then
+        echo "Warning: VT_API_KEY not provided, skipping VirusTotal scan for $base_name"
+        return 1
+    fi
+
+    echo "Scanning $base_name with VirusTotal..."
+
+    local upload_response=$(curl -s -X POST \
+        -H "x-apikey: $VT_API_KEY" \
+        -F "file=@$pdf_path" \
+        https://www.virustotal.com/api/v3/files)
+
+    if [[ $? -ne 0 ]]; then
+        echo "Error uploading $base_name to VirusTotal"
+        return 1
+    fi
+
+    local file_id=$(echo "$upload_response" | python3 -c "import sys, json; print(json.load(sys.stdin)['data']['id'])" 2>/dev/null || echo "")
+
+    if [[ -z "$file_id" ]]; then
+        echo "Error: Could not extract file ID from VirusTotal response for $base_name"
+        echo "Response: $upload_response"
+        return 1
+    fi
+
+    local vt_url="https://www.virustotal.com/gui/file/$file_id"
+    echo "$vt_url"
+}
+
+scan_all_pdfs() {
+    local results_file="$EXPORT_DIR/virus-total-results.md"
+
+    cat > "$results_file" << 'HEADER'
+## VirusTotal Scan Results
+
+**Scan Date:** TIMESTAMP
+
+---
+HEADER
+
+    sed -i "s/TIMESTAMP/$(date -u +"%Y-%m-%d %H:%M UTC")/" "$results_file"
+
+    local pdf_files=()
+    if [[ "$MODE" == "light" || "$MODE" == "both" ]]; then
+        pdf_files+=("$EXPORT_DIR/thgtoa.pdf")
+    fi
+    if [[ "$MODE" == "dark" || "$MODE" == "both" ]]; then
+        pdf_files+=("$EXPORT_DIR/thgtoa-dark.pdf")
+    fi
+
+    for pdf in "${pdf_files[@]}"; do
+        if [[ -f "$pdf" ]]; then
+            local base_name=$(basename "$pdf")
+            local hash=$(generate_hash "$pdf")
+
+            echo "" >> "$results_file"
+            echo "### $base_name" >> "$results_file"
+            echo "- **SHA256 Hash:** \`$hash\`" >> "$results_file"
+
+            if [[ -n "$VT_API_KEY" ]]; then
+                local vt_url=$(scan_with_virustotal "$pdf")
+                if [[ $? -eq 0 && -n "$vt_url" ]]; then
+                    echo "- **VirusTotal Report:** [$vt_url]($vt_url)" >> "$results_file"
+                else
+                    echo "- **VirusTotal Report:** Scan failed or API key not provided" >> "$results_file"
+                fi
+            else
+                echo "- **VirusTotal Report:** VT_API_KEY not configured, scan skipped" >> "$results_file"
+            fi
+
+            create_hash_file "$pdf"
+        else
+            echo "Warning: $pdf does not exist, skipping..."
+        fi
+    done
+
+    cat >> "$results_file" << 'FOOTER'
+
+---
+*Scan performed automatically by GitHub Actions*
+FOOTER
+
+    echo "VirusTotal results saved to: $results_file"
+}
+
+update_release() {
+    local tag="${1:-}"
+    local release_notes="$EXPORT_DIR/release-notes.md"
+
+    if [[ "$RELEASE_MODE" == "tag" && -z "$tag" ]]; then
+        tag=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
+    fi
+
+    if [[ -z "$tag" ]]; then
+        echo "Warning: No release tag found, skipping release update."
+        return 1
+    fi
+
+    echo "Updating release for tag: $tag"
+
+    cat > "$release_notes" << EOF
+# Release Notes - $tag
+
+**Release Date:** $(date -u +"%Y-%m-%d %H:%M UTC")
+
+## PDF Files
+
+EOF
+
+    if [[ "$MODE" == "light" || "$MODE" == "both" ]]; then
+        local hash=$(generate_hash "$EXPORT_DIR/thgtoa.pdf")
+        echo "- **thgtoa.pdf (Light Mode)**" >> "$release_notes"
+        echo "  - SHA256: \`$hash\`" >> "$release_notes"
+        if [[ -f "$EXPORT_DIR/thgtoa.pdf.sig" ]]; then
+            echo "  - Signature: \`thgtoa.pdf.sig\` (GPG signed)" >> "$release_notes"
+        fi
+    fi
+
+    if [[ "$MODE" == "dark" || "$MODE" == "both" ]]; then
+        local hash=$(generate_hash "$EXPORT_DIR/thgtoa-dark.pdf")
+        echo "- **thgtoa-dark.pdf (Dark Mode)**" >> "$release_notes"
+        echo "  - SHA256: \`$hash\`" >> "$release_notes"
+        if [[ -f "$EXPORT_DIR/thgtoa-dark.pdf.sig" ]]; then
+            echo "  - Signature: \`thgtoa-dark.pdf.sig\` (GPG signed)" >> "$release_notes"
+        fi
+    fi
+
+    echo "" >> "$release_notes"
+    echo "---" >> "$release_notes"
+
+    if [[ -f "$EXPORT_DIR/virus-total-results.md" ]]; then
+        echo "## VirusTotal Scan Results" >> "$release_notes"
+        echo "" >> "$release_notes"
+        cat "$EXPORT_DIR/virus-total-results.md" >> "$release_notes"
+        echo "" >> "$release_notes"
+    fi
+
+    local files_to_upload=""
+
+    if [[ -f "$EXPORT_DIR/thgtoa.pdf" ]]; then
+        files_to_upload+="$EXPORT_DIR/thgtoa.pdf "
+    fi
+    if [[ -f "$EXPORT_DIR/thgtoa-dark.pdf" ]]; then
+        files_to_upload+="$EXPORT_DIR/thgtoa-dark.pdf "
+    fi
+    if [[ -f "$EXPORT_DIR/thgtoa.pdf.sig" ]]; then
+        files_to_upload+="$EXPORT_DIR/thgtoa.pdf.sig "
+    fi
+    if [[ -f "$EXPORT_DIR/thgtoa-dark.pdf.sig" ]]; then
+        files_to_upload+="$EXPORT_DIR/thgtoa-dark.pdf.sig "
+    fi
+
+    local combined_hash_file="$EXPORT_DIR/sha256sum-combined.txt"
+
+    if [[ -f "$EXPORT_DIR/thgtoa.pdf.sha256" ]]; then
+        cat "$EXPORT_DIR/thgtoa.pdf.sha256" >> "$combined_hash_file" 2>/dev/null || true
+    fi
+    if [[ -f "$EXPORT_DIR/thgtoa-dark.pdf.sha256" ]]; then
+        echo "" >> "$combined_hash_file"
+        cat "$EXPORT_DIR/thgtoa-dark.pdf.sha256" >> "$combined_hash_file"
+    fi
+
+    files_to_upload+="$combined_hash_file "
+
+    if [[ -n "${GPG_PRIVATE_KEY:-}" && -n "${GPG_PASSPHRASE:-}" ]]; then
+        echo "$GPG_PRIVATE_KEY" | gpg --batch --import 2>/dev/null || true
+        gpg --batch --yes --armor --detach-sign --output "$combined_hash_file.sig" "$combined_hash_file" 2>/dev/null || true
+        if [[ -f "$combined_hash_file.sig" ]]; then
+            files_to_upload+="$combined_hash_file.sig "
+        fi
+    fi
+
+    if command -v gh &> /dev/null && [[ -n "$GITHUB_TOKEN" ]]; then
+        echo "Uploading release with GitHub CLI..."
+
+        local release_exists=$(gh release view "$tag" 2>/dev/null && echo "yes" || echo "no")
+
+        if [[ "$release_exists" == "yes" ]]; then
+            gh release edit "$tag" --notes-file "$release_notes" 2>/dev/null || {
+                echo "Warning: Failed to update release notes"
+            }
+
+            for file in $files_to_upload; do
+                if [[ -f "$file" ]]; then
+                    local file_name=$(basename "$file")
+                    gh release upload "$tag" "$file" 2>/dev/null || {
+                        echo "Warning: Failed to upload $file_name"
+                    }
+                fi
+            done
+        else
+            gh release create "$tag" \
+                --title "Release $tag" \
+                --notes-file "$release_notes" \
+                $files_to_upload 2>/dev/null || {
+                    echo "Error: Failed to create release"
+                    return 1
+                }
+        fi
+
+    else
+        if [[ -n "$GITHUB_TOKEN" && -n "$tag" ]]; then
+            echo "Using GitHub API to upload release..."
+
+            local repo="${GITHUB_REPOSITORY:-}"
+            local api_url="https://api.github.com/repos/$repo/releases"
+
+            local existing_release=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
+                "$api_url/tags/$tag")
+
+            if [[ $(echo "$existing_release" | grep -c '"id":') -gt 0 ]]; then
+                echo "Release already exists, updating..."
+                local release_id=$(echo "$existing_release" | python3 -c "import sys, json; print(json.load(sys.stdin)['id'])" 2>/dev/null || echo "")
+
+                curl -X PATCH \
+                    -H "Authorization: token $GITHUB_TOKEN" \
+                    -H "Accept: application/vnd.github.v3+json" \
+                    "$api_url/$release_id" \
+                    -d "{\"body\":\"$(cat "$release_notes")\"}" 2>/dev/null || true
+
+                for file in $files_to_upload; do
+                    if [[ -f "$file" ]]; then
+                        local file_name=$(basename "$file")
+                        local mime_type=$(file --mime-type -b "$file")
+
+                        curl -X POST \
+                            -H "Authorization: token $GITHUB_TOKEN" \
+                            -H "Content-Type: $mime_type" \
+                            --data-binary @"$file" \
+                            "https://uploads.github.com/repos/$repo/releases/$release_id/assets?name=$file_name" 2>/dev/null || {
+                                echo "Warning: Failed to upload $file_name"
+                            }
+                    fi
+                done
+            else
+                echo "Creating new release..."
+
+                local create_response=$(curl -s -X POST \
+                    -H "Authorization: token $GITHUB_TOKEN" \
+                    -H "Accept: application/vnd.github.v3+json" \
+                    "$api_url" \
+                    -d "{\"tag_name\":\"$tag\",\"name\":\"Release $tag\",\"body\":\"$(cat "$release_notes")\"}")
+
+                local release_id=$(echo "$create_response" | python3 -c "import sys, json; print(json.load(sys.stdin)['id'])" 2>/dev/null || echo "")
+
+                for file in $files_to_upload; do
+                    if [[ -f "$file" ]]; then
+                        local file_name=$(basename "$file")
+                        local mime_type=$(file --mime-type -b "$file")
+
+                        curl -X POST \
+                            -H "Authorization: token $GITHUB_TOKEN" \
+                            -H "Content-Type: $mime_type" \
+                            --data-binary @"$file" \
+                            "https://uploads.github.com/repos/$repo/releases/$release_id/assets?name=$file_name" 2>/dev/null || {
+                                echo "Warning: Failed to upload $file_name"
+                            }
+                    fi
+                done
+            fi
+        else
+            echo "Error: GITHUB_TOKEN required for release upload."
+            return 1
+        fi
+    fi
+
+    echo "Release update complete!"
+}
+
+echo ""
+echo "Step 1: Generating hashes..."
+if [[ "$MODE" == "light" || "$MODE" == "both" ]]; then
+    if [[ -f "$EXPORT_DIR/thgtoa.pdf" ]]; then
+        create_hash_file "$EXPORT_DIR/thgtoa.pdf"
+    else
+        echo "Warning: $EXPORT_DIR/thgtoa.pdf not found. Ensure PDF is built first."
+    fi
+fi
+
+if [[ "$MODE" == "dark" || "$MODE" == "both" ]]; then
+    if [[ -f "$EXPORT_DIR/thgtoa-dark.pdf" ]]; then
+        create_hash_file "$EXPORT_DIR/thgtoa-dark.pdf"
+    else
+        echo "Warning: $EXPORT_DIR/thgtoa-dark.pdf not found. Ensure PDF is built first."
+    fi
+fi
+
+echo ""
+echo "Step 2: Scanning with VirusTotal..."
+scan_all_pdfs
+
+echo ""
+echo "Step 3: Updating release..."
+update_release "$GITHUB_REF_NAME"
+
+echo ""
+echo "PDF Release Script Complete!"