fix(ci): pin hash for cyclonedx-cli

This also fixes version handling in SBOM.

Author: nijel

.github/renovate.json

@@ -2,5 +2,31 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "github>WeblateOrg/meta:renovate"
-  ]
+  ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "description": "Update CycloneDX CLI binary version and GitHub release asset digest",
+      "managerFilePatterns": [
+        "/^\\.github\\/workflows\\/setup\\.yml$/"
+      ],
+      "matchStrings": [
+        "(?<indentation>[ \\t]*)# renovate-cyclonedx-cli\\r?\\n[ \\t]*CYCLONEDX_CLI_VERSION: (?<currentValue>\\S+)\\r?\\n[ \\t]*CYCLONEDX_CLI_DIGEST: (?<currentDigest>sha256:[a-f0-9]{64})"
+      ],
+      "depNameTemplate": "CycloneDX/cyclonedx-cli",
+      "packageNameTemplate": "CycloneDX/cyclonedx-cli",
+      "datasourceTemplate": "custom.github-release-asset-digest",
+      "versioningTemplate": "loose",
+      "autoReplaceStringTemplate": "{{{indentation}}}# renovate-cyclonedx-cli\n{{{indentation}}}CYCLONEDX_CLI_VERSION: {{{newValue}}}\n{{{indentation}}}CYCLONEDX_CLI_DIGEST: {{{newDigest}}}"
+    }
+  ],
+  "customDatasources": {
+    "github-release-asset-digest": {
+      "defaultRegistryUrlTemplate": "https://api.github.com/repos/{{{packageName}}}/releases?per_page=100",
+      "format": "json",
+      "transformTemplates": [
+        "{\"releases\": $map($[draft = false and prerelease = false and assets[name = \"cyclonedx-linux-x64\"]], function($release) { { \"version\": $release.tag_name, \"digest\": $release.assets[name = \"cyclonedx-linux-x64\"][0].digest, \"releaseTimestamp\": $release.published_at, \"sourceUrl\": $release.html_url } }), \"sourceUrl\": \"https://github.com/CycloneDX/cyclonedx-cli\"}"
+      ]
+    }
+  }
 }

.github/workflows/setup.yml

@@ -107,12 +107,11 @@ jobs:
     - name: Generate SBOM
       id: generate-sbom
       env:
-        # renovate: datasource=github-releases depName=CycloneDX/cyclonedx-cli versioning=loose
+        # renovate-cyclonedx-cli
         CYCLONEDX_CLI_VERSION: v0.31.0
+        CYCLONEDX_CLI_DIGEST: sha256:72c465982796cb930dd7bfabe68d869aea053c9b7a717dff9ceee56b5624eea4
       run: |
-        version=$(sed -n '/^VERSION =/ s/.*"\(.*\)"/\1/p' weblate/utils/version.py)
-        version=${version%-dev}
-        version=${version%-rc}
+        version=$(./scripts/show-version.py)
         sbom="build/sbom/weblate-$version-sbom.cdx.json"
         mkdir -p build/sbom
         uv export --preview-features sbom-export --format cyclonedx1.5 --all-extras --no-dev > build/sbom/python.json
@@ -122,9 +121,11 @@ jobs:
         npm sbom --omit dev --sbom-format cyclonedx --sbom-type application > ../build/sbom/javascript.json
         cd ..
         ./scripts/reproducible-sbom.py build/sbom/javascript.json
-        curl -L "https://github.com/CycloneDX/cyclonedx-cli/releases/download/$CYCLONEDX_CLI_VERSION/cyclonedx-linux-x64" > /tmp/cyclonedx-linux-x64
-        chmod +x /tmp/cyclonedx-linux-x64
-        /tmp/cyclonedx-linux-x64 merge --input-files build/sbom/*.json --output-file "$sbom"
+        cyclonedx_cli=/tmp/cyclonedx-linux-x64
+        curl -fsSL "https://github.com/CycloneDX/cyclonedx-cli/releases/download/$CYCLONEDX_CLI_VERSION/cyclonedx-linux-x64" > "$cyclonedx_cli"
+        echo "${CYCLONEDX_CLI_DIGEST#sha256:}  $cyclonedx_cli" | sha256sum --check --strict
+        chmod +x "$cyclonedx_cli"
+        "$cyclonedx_cli" merge --input-files build/sbom/*.json --output-file "$sbom"
         ./scripts/reproducible-sbom.py "$sbom"
         echo "path=$sbom" >> "$GITHUB_OUTPUT"
     - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1

scripts/show-version.py

@@ -0,0 +1,24 @@
+#!/usr/bin/env python
+
+# Copyright © Michal Čihař <michal@weblate.org>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import ast
+from pathlib import Path
+
+from packaging.version import Version
+
+module = ast.parse(Path("weblate/utils/version.py").read_text(encoding="utf-8"))
+for node in module.body:
+    if not isinstance(node, ast.Assign):
+        continue
+    if any(
+        isinstance(target, ast.Name) and target.id == "VERSION"
+        for target in node.targets
+    ):
+        print(Version(ast.literal_eval(node.value)).base_version)
+        break
+else:
+    msg = "VERSION not found in weblate/utils/version.py"
+    raise SystemExit(msg)