Commit b699ba6
committed
Separate SBOM from dist/ so PyPI publish stops choking on it
The 2.1.0 publish run failed because dist/bitmath-2.1.0.cdx.json was
bundled into the dist artifact uploaded to PyPI. twine globs every file
in packages-dir and rejected the SBOM with
"InvalidDistribution: Unknown distribution format". The prior comment
("Keep the SBOM out of the PyPI upload") captured the intent but the
implementation never separated the file.
Generate the SBOM into sbom/, upload it as its own artifact, download
it separately in the publish job, and attach it to the GitHub release
from there. dist/ now contains only wheels and sdists.1 parent cf0c16d commit b699ba6
1 file changed
Lines changed: 13 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
| 25 | + | |
25 | 26 | | |
26 | 27 | | |
27 | 28 | | |
28 | 29 | | |
29 | 30 | | |
30 | | - | |
| 31 | + | |
31 | 32 | | |
32 | 33 | | |
33 | 34 | | |
34 | 35 | | |
35 | 36 | | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
36 | 42 | | |
37 | 43 | | |
38 | 44 | | |
| |||
47 | 53 | | |
48 | 54 | | |
49 | 55 | | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
50 | 61 | | |
51 | 62 | | |
52 | 63 | | |
53 | | - | |
54 | 64 | | |
55 | 65 | | |
56 | 66 | | |
57 | 67 | | |
58 | 68 | | |
59 | 69 | | |
60 | 70 | | |
61 | | - | |
| 71 | + | |
0 commit comments