Skip to content

ci: generate and publish Python SBOM (.cdx.json) alongside wheel/tar.gz#1171

Merged
spoorcc merged 3 commits intomainfrom
claude/add-sbom-generation-Cm0dt
Apr 30, 2026
Merged

ci: generate and publish Python SBOM (.cdx.json) alongside wheel/tar.gz#1171
spoorcc merged 3 commits intomainfrom
claude/add-sbom-generation-Cm0dt

Conversation

@spoorcc
Copy link
Copy Markdown
Contributor

@spoorcc spoorcc commented Apr 29, 2026
edited by coderabbitai Bot
Loading

  • In build.yml build-whl: install built wheel + cyclonedx-bom, run
    cyclonedx-py environment to produce dfetch-VERSION-py.cdx.json in
    dist/; the existing release job uploads dist/* so the SBOM is
    automatically attached to the GitHub release draft.
  • In python-publish.yml build: same generation but SBOM goes into
    dist-sbom/ (separate from dist/) to keep PyPI upload clean; stored
    as a python-sbom artifact.
  • In python-publish.yml deploy: downloads the python-sbom artifact
    and attaches it to the published GitHub release via
    softprops/action-gh-release; adds contents: write permission.

https://claude.ai/code/session_01VPK44jamDeLp4Tcy916XDT

Summary by CodeRabbit

  • Chores
    • Added SBOM (Software Bill of Materials) generation to the build process for Python distributions.
    • Updated CI/CD workflows to automatically generate and publish SBOMs to GitHub releases for improved supply chain transparency.

@claude
ci: generate and publish Python SBOM (.cdx.json) alongside wheel/tar.gz
978e8f2 
- In build.yml build-whl: install built wheel + cyclonedx-bom, run
  cyclonedx-py environment to produce dfetch-VERSION-py.cdx.json in
  dist/; the existing release job uploads dist/* so the SBOM is
  automatically attached to the GitHub release draft.
- In python-publish.yml build: same generation but SBOM goes into
  dist-sbom/ (separate from dist/) to keep PyPI upload clean; stored
  as a python-sbom artifact.
- In python-publish.yml deploy: downloads the python-sbom artifact
  and attaches it to the published GitHub release via
  softprops/action-gh-release; adds contents: write permission.

https://claude.ai/code/session_01VPK44jamDeLp4Tcy916XDT
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 29, 2026
edited
Loading

Warning

Rate limit exceeded

@spoorcc has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 13 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6c21eecd-3187-45ad-aff4-2e9ddce160d7

📥 Commits

Reviewing files that changed from the base of the PR and between f7c9aef and b1c6eae.

📒 Files selected for processing (1)
  • .github/workflows/python-publish.yml

Walkthrough

The pull request modifies CI workflows and a build script to integrate SBOM (Software Bill of Materials) generation for Python distributions. It switches dependency installation to use project extras, adds new SBOM generation steps in CI, and extends the SBOM creation script with command-line options to support both Python and platform-specific package formats.

Changes

Cohort / File(s) Summary
CI Workflow Configuration
.github/workflows/build.yml, .github/workflows/python-publish.yml		 Modified dependency installation to use pip install .[wheel] instead of installing build directly. Added SBOM generation steps using script/create_sbom.py --py with output to dist-sbom/. Enhanced python-publish workflow to upload SBOM as artifact and publish to GitHub Release with new contents: write permission.
Project Configuration
pyproject.toml		 Added new optional dependency group wheel containing build==1.2.2 under [project.optional-dependencies].
Build Script Enhancement
script/create_sbom.py		 Extended with command-line arguments --py and --output-dir to support generating SBOMs for Python distributions or platform binaries. Updated output path logic to derive from dist/ or build/dfetch-package/ directories and refactored variable naming for clarity.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Suggested labels

development, github_actions

Suggested reviewers

  • ben-edna
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding SBOM generation and publishing for Python distributions alongside existing artifacts.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/add-sbom-generation-Cm0dt

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 50 minutes and 13 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@claude
ci: consolidate Python SBOM generation into create_sbom.py --py
f7c9aef 
Extend script/create_sbom.py with a --py flag and an optional
--output-dir argument so the Python distribution SBOM follows the
same pattern as the binary one (pip install .[extra] then the script).

- create_sbom.py: add parse_args(); --py uses suffix "py" and defaults
  output to dist/; --output-dir overrides the directory for both modes
- pyproject.toml: add wheel = ["build==1.2.2"] optional dependency so
  the build frontend is pinned alongside the rest of the toolchain
- build.yml build-whl: replace pip install + inline cyclonedx invocation
  with pip install .[wheel] + python script/create_sbom.py --py
- python-publish.yml build: same, passing --output-dir dist-sbom to
  keep the SBOM out of dist/ so PyPI upload stays clean

https://claude.ai/code/session_01VPK44jamDeLp4Tcy916XDT
coderabbitai[bot]
coderabbitai Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/python-publish.yml:
- Around line 101-114: The publish-to-PyPI step ("Publish distribution 📦 to
PyPI" that uses pypa/gh-action-pypi-publish@...) makes the workflow
non-idempotent because subsequent SBOM upload steps (e.g., "Upload SBOM to
GitHub Release" using softprops/action-gh-release) can fail and block re-runs;
fix by either moving the PyPI publish step to run after the SBOM download/upload
steps, or make the pypa/gh-action-pypi-publish step idempotent by adding the
skip-existing option (set skip-existing: true under the publish step's with:
block) so re-runs won’t fail if the package version already exists.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d1bec0c2-828d-4687-88ea-30ad712508f2

📥 Commits

Reviewing files that changed from the base of the PR and between 7e372b5 and f7c9aef.

📒 Files selected for processing (4)
  • .github/workflows/build.yml
  • .github/workflows/python-publish.yml
  • pyproject.toml
  • script/create_sbom.py

Comment thread .github/workflows/python-publish.yml
@claude
ci: make PyPI publish step idempotent on re-runs
b1c6eae 
Add skip-existing: true to the production PyPI publish step in the
deploy job, matching the existing testpypi job. Without this, if the
SBOM download/upload steps after the publish step fail, a re-run would
be blocked because PyPI rejects re-uploading an already-published version.

https://claude.ai/code/session_01VPK44jamDeLp4Tcy916XDT
@spoorcc spoorcc merged commit 7f8ddec into main Apr 30, 2026
42 checks passed
@spoorcc spoorcc deleted the claude/add-sbom-generation-Cm0dt branch April 30, 2026 05:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@spoorcc @claude