Fix SBOM: valid JSON format for attest-sbom action

DeusData · DeusData · commit e0bce845ebce · 2026-03-21T16:34:03.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -427,29 +427,11 @@ jobs:
       # ── SBOM generation ──────────────────────────────────────
       - name: Generate SBOM
         run: |
-          cat > sbom.json << 'SBOMEOF'
-          {
-            "bomFormat": "CycloneDX",
-            "specVersion": "1.4",
-            "version": 1,
-            "metadata": {
-              "component": {
-                "type": "application",
-                "name": "codebase-memory-mcp",
-                "version": "${{ inputs.version }}"
-              }
-            },
-            "components": [
-              {"type": "library", "name": "sqlite3", "version": "3.49.1", "description": "Vendored SQLite amalgamation"},
-              {"type": "library", "name": "yyjson", "version": "0.10.0", "description": "Fast JSON parser"},
-              {"type": "library", "name": "mongoose", "version": "7.16", "description": "Embedded HTTP server"},
-              {"type": "library", "name": "mimalloc", "version": "2.1.7", "description": "Memory allocator"},
-              {"type": "library", "name": "xxhash", "version": "0.8.2", "description": "Fast hash function"},
-              {"type": "library", "name": "tre", "version": "0.8.0", "description": "POSIX regex (Windows)"},
-              {"type": "library", "name": "tree-sitter", "version": "0.24.4", "description": "AST parser runtime (64 grammars)"}
-            ]
-          }
+          cat > sbom.json <<SBOMEOF
+          {"bomFormat":"CycloneDX","specVersion":"1.4","version":1,"metadata":{"component":{"type":"application","name":"codebase-memory-mcp","version":"${{ inputs.version }}"}},"components":[{"type":"library","name":"sqlite3","version":"3.49.1","description":"Vendored SQLite amalgamation"},{"type":"library","name":"yyjson","version":"0.10.0","description":"Fast JSON parser"},{"type":"library","name":"mongoose","version":"7.16","description":"Embedded HTTP server"},{"type":"library","name":"mimalloc","version":"2.1.7","description":"Memory allocator"},{"type":"library","name":"xxhash","version":"0.8.2","description":"Fast hash function"},{"type":"library","name":"tre","version":"0.8.0","description":"POSIX regex (Windows)"},{"type":"library","name":"tree-sitter","version":"0.24.4","description":"AST parser runtime (64 grammars)"}]}
           SBOMEOF
+          # Trim leading whitespace from heredoc
+          python3 -c "import json; d=json.load(open('sbom.json')); json.dump(d,open('sbom.json','w'),indent=2)"
 
       - name: Attest SBOM
         uses: actions/attest-sbom@v2
