fix(ci): move PyPI publish before SBOM generation (#430)

wphillipmoore · wphillipmoore-claude · web-flow · commit 0d1c4bd2b528 · 2026-03-02T14:38:03.000Z
Reverts the ordering regression from #392. The SBOM writes a .cdx.json file into dist/ which causes pypa/gh-action-pypi-publish to fail with InvalidDistribution. PyPI publish must run before SBOM generation, matching the original fix in #284. Co-authored-by: wphillipmoore-claude <255925739+wphillipmoore-claude@users.noreply.github.com>
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -80,6 +80,10 @@ jobs:
         with:
           subject-path: "dist/*"
 
+      - name: Publish to PyPI
+        if: steps.pypi_check.outputs.status == 'not_found'
+        uses: pypa/gh-action-pypi-publish@release/v1
+
       - name: Generate SBOM
         if: steps.tag_check.outputs.exists == 'false'
         uses: wphillipmoore/standard-actions/actions/security/trivy@develop
@@ -106,10 +110,6 @@ jobs:
             - [Documentation](https://wphillipmoore.github.io/mq-rest-admin-python/)
           release-artifacts: dist/*
 
-      - name: Publish to PyPI
-        if: steps.pypi_check.outputs.status == 'not_found'
-        uses: pypa/gh-action-pypi-publish@release/v1
-
       - name: Generate app token for bump PR
         if: steps.tag_check.outputs.exists == 'false'
         id: app-token
