ci: fix publish — move SBOM out of dist/, fix attach-sbom repo context

InvariantSystems · InvariantSystems · commit bca85ae7bcd1 · 2026-03-09T10:47:04.000-04:00
Two fixes:
1. SBOM was generated into dist/ causing PyPI publisher to reject it
   as 'Unknown distribution format'. Now generated to sbom/ and
   uploaded as a separate artifact.
2. attach-sbom job had no git checkout so `gh release upload` failed
   with 'not a git repository'. Added --repo flag instead.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -157,15 +157,15 @@ jobs:
     steps:
       - uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3  # v8.0.0
         with:
-          name: dist
-          path: dist/
+          name: sbom
+          path: sbom/
       - name: Upload SBOM to GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          if [ -f dist/aiir-sbom.cdx.json ]; then
-            gh release upload "$GITHUB_REF_NAME" dist/aiir-sbom.cdx.json \
-              --clobber
+          if [ -f sbom/aiir-sbom.cdx.json ]; then
+            gh release upload "$GITHUB_REF_NAME" sbom/aiir-sbom.cdx.json \
+              --clobber --repo "${{ github.repository }}"
             echo "✅ SBOM attached to release $GITHUB_REF_NAME"
           else
             echo "::warning::SBOM file not found — skipping"
@@ -192,14 +192,19 @@ jobs:
           # declared dependencies (which is zero for aiir, but proves it).
           # NOTE: --schema-version was removed in cyclonedx-bom v7; the tool
           # now emits the latest CycloneDX schema version automatically.
+          mkdir -p sbom
           cyclonedx-py environment \
             --output-format json \
-            --output-file dist/aiir-sbom.cdx.json
-          echo "✅ SBOM generated: $(wc -c < dist/aiir-sbom.cdx.json) bytes"
+            --output-file sbom/aiir-sbom.cdx.json
+          echo "✅ SBOM generated: $(wc -c < sbom/aiir-sbom.cdx.json) bytes"
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
           name: dist
           path: dist/
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
+        with:
+          name: sbom
+          path: sbom/
 
   # ── Step 3: Publish to PyPI ────────────────────────────────────────
   publish:
