v0.2.2 #1

Workflow file for this run

.github/workflows/release-sbom.yml at 0988b09

	name: Release SBOM

	on:
	workflow_dispatch:
	release:
	types:
	- published

	permissions:
	contents: write
	id-token: write
	attestations: write
	artifact-metadata: write

	jobs:
	build-and-sbom:
	name: Build Dist And SBOM
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Set up Python
	uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
	with:
	python-version: "3.11"

	- name: Install build and SBOM tooling
	run: \|
	python -m pip install --upgrade pip
	python -m pip install build==1.4.0 cyclonedx-bom==7.2.2

	- name: Build package distributions
	run: python -m build --sdist --wheel

	- name: Create isolated environment for SBOM target
	run: \|
	python -m venv .sbom-venv
	. .sbom-venv/bin/activate
	python -m pip install --upgrade pip
	python -m pip install dist/*.whl

	- name: Generate CycloneDX SBOM
	run: \|
	mkdir -p artifacts
	cyclonedx-py environment .sbom-venv \
	--pyproject pyproject.toml \
	--mc-type library \
	--output-reproducible \
	--spec-version 1.6 \
	--output-format JSON \
	--output-file artifacts/epacomp-tox-mcp.sbom.cdx.json

	- name: Attest release provenance
	id: attest-provenance
	uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
	with:
	subject-path: dist/*

	- name: Attest release SBOM
	id: attest-sbom
	uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
	with:
	subject-path: dist/*
	sbom-path: artifacts/epacomp-tox-mcp.sbom.cdx.json

	- name: Normalize attestation bundles
	run: \|
	mkdir -p artifacts/attestations
	cp "${{ steps.attest-provenance.outputs.bundle-path }}" artifacts/attestations/release-provenance.bundle.json
	cp "${{ steps.attest-sbom.outputs.bundle-path }}" artifacts/attestations/release-sbom-attestation.bundle.json

	- name: Upload release artifacts
	uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: release-dist-and-sbom
	path: \|
	dist/*
	artifacts/epacomp-tox-mcp.sbom.cdx.json
	artifacts/attestations/*.json

	- name: Attach artifacts to GitHub release
	if: github.event_name == 'release'
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	gh release upload "${{ github.event.release.tag_name }}" \
	dist/* \
	artifacts/epacomp-tox-mcp.sbom.cdx.json \
	artifacts/attestations/*.json \
	--clobber

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.2.2 #1

Workflow file

v0.2.2 #1

Uh oh!

Workflow file for this run