feat: enhance release workflow with comprehensive artifact management

ig596 · ig596 · commit 369454a65aad · 2025-08-21T11:59:54.000-04:00
- Enable semantic-release to handle Python package building with Poetry
- Add Docker image tar generation and upload to GitHub releases
- Include SBOM (Software Bill of Materials) generation and release attachment
- Implement distributed job architecture for better fault isolation:
  - semantic-release: handles versioning and Python package release
  - sbom-generation: creates security manifests in parallel
  - publish: builds Docker artifacts and publishes to TestPyPI
- Pin anchore/sbom-action to v0.17.6 for security
- Configure proper version coordination across all jobs
- Ensure all artifacts are attached to the same GitHub release

This creates a complete release pipeline that produces:
- Python wheel and source distribution (via semantic-release)
- Docker image tar for local loading
- SBOM for supply chain security compliance
- TestPyPI publication for external distribution
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -49,7 +49,6 @@ jobs:
           tag: true  # Tag the release
           push: true  # Push changes back to the repository
           commit: true  # Commit changes
-          build: false  # Skip build in semantic-release since we'll do it separately
 
 
   sbom-generation:
@@ -62,13 +61,30 @@ jobs:
       security-events: write
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.head_ref || github.ref_name }}
+      - name: Get version
+        id: version
+        run: |
+          # Get version from pyproject.toml after semantic-release updated it
+          VERSION=$(grep '^version =' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
       - name: Generate SBOM
-        uses: anchore/sbom-action@v0
+        uses: anchore/sbom-action@v0.17.6
         with:
           path: .  # Generate SBOM for the entire repository
           artifact-name: sbom.spdx.json  # Name of the generated SBOM file
           format: spdx-json  # Use SPDX format for SBOM
           dependency-snapshot: true  # Include dependency snapshot
+      - name: Upload SBOM to GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.version.outputs.version }}
+          files: sbom.spdx.json
+          draft: false
+          prerelease: false
 
   publish:
     needs: semantic-release
@@ -79,20 +95,35 @@ jobs:
         with:
           fetch-depth: 0
           ref: ${{ github.head_ref || github.ref_name }}
-      - name: Set up Python
+      - name: Get version
+        id: version
+        run: |
+          # Get version from pyproject.toml after semantic-release updated it
+          VERSION=$(grep '^version =' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build Docker image as tar
+        run: |
+          docker build -t network-reputation-check:v${{ steps.version.outputs.version }} .
+          docker save network-reputation-check:v${{ steps.version.outputs.version }} -o network-reputation-check-v${{ steps.version.outputs.version }}.tar
+      - name: Upload Docker tar to GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.version.outputs.version }}
+          files: network-reputation-check-v${{ steps.version.outputs.version }}.tar
+          draft: false
+          prerelease: false
+      - name: Set up Python for TestPyPI publishing
         uses: actions/setup-python@v5
         with:
           python-version: 3.11
-      - name: Install dependencies
-        run: |
-          pip install poetry
-          poetry install --with dev
-      - name: Build package
-        run: |
-          poetry build
-      - name: Publish to TestPyPI
+      - name: Install Poetry and publish to TestPyPI
         env:
           POETRY_PYPI_TOKEN_TESTPYPI: ${{ secrets.TEST_PYPI_API_TOKEN }}
         run: |
+          pip install poetry
+          poetry install --with dev
           poetry config repositories.testpypi https://test.pypi.org/legacy/
           poetry publish --repository testpypi
diff --git a/pyproject.toml b/pyproject.toml
@@ -62,7 +62,7 @@ version_toml = ["pyproject.toml:project.version"]
 allow_zero_version = true
 commit_message = "chore(release): {version} [skip ci]"
 commit_author = "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
-build_command = "poetry build"
+build_command = "pip install poetry && poetry build"
 upload_to_vcs_release = true
 
 [build-system]
