Skip to content

Commit b699ba6

Browse files
committed
Separate SBOM from dist/ so PyPI publish stops choking on it
The 2.1.0 publish run failed because dist/bitmath-2.1.0.cdx.json was bundled into the dist artifact uploaded to PyPI. twine globs every file in packages-dir and rejected the SBOM with "InvalidDistribution: Unknown distribution format". The prior comment ("Keep the SBOM out of the PyPI upload") captured the intent but the implementation never separated the file. Generate the SBOM into sbom/, upload it as its own artifact, download it separately in the publish job, and attach it to the GitHub release from there. dist/ now contains only wheels and sdists.
1 parent cf0c16d commit b699ba6

1 file changed

Lines changed: 13 additions & 3 deletions

File tree

.github/workflows/publish.yml

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,17 +22,23 @@ jobs:
2222
run: |
2323
pip install cyclonedx-bom
2424
VERSION=$(cat VERSION)
25+
mkdir -p sbom
2526
python -m venv /tmp/sbom-env
2627
/tmp/sbom-env/bin/pip install --upgrade pip
2728
/tmp/sbom-env/bin/pip install --no-deps dist/*.whl
2829
cyclonedx-py environment /tmp/sbom-env/bin/python \
2930
--output-format JSON \
30-
--output-file "dist/bitmath-${VERSION}.cdx.json"
31+
--output-file "sbom/bitmath-${VERSION}.cdx.json"
3132
- name: Upload dist artifacts
3233
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
3334
with:
3435
name: dist
3536
path: dist/
37+
- name: Upload SBOM artifact
38+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
39+
with:
40+
name: sbom
41+
path: sbom/
3642

3743
publish:
3844
needs: build
@@ -47,15 +53,19 @@ jobs:
4753
with:
4854
name: dist
4955
path: dist/
56+
- name: Download SBOM artifact
57+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
58+
with:
59+
name: sbom
60+
path: sbom/
5061
- name: Publish to PyPI
5162
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
5263
with:
53-
# Keep the SBOM out of the PyPI upload; it ships on the GitHub release instead.
5464
packages-dir: dist/
5565
skip-existing: false
5666
- name: Attach SBOM to GitHub Release
5767
env:
5868
GH_TOKEN: ${{ github.token }}
5969
run: |
6070
TAG="${GITHUB_REF#refs/tags/}"
61-
gh release upload "$TAG" dist/bitmath-*.cdx.json --clobber --repo "$GITHUB_REPOSITORY"
71+
gh release upload "$TAG" sbom/bitmath-*.cdx.json --clobber --repo "$GITHUB_REPOSITORY"

0 commit comments

Comments
 (0)