Skip to content

Move SBOM file out of dist/ before PyPI upload #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jacksonpradolima merged 2 commits into from
Jan 1, 2026
Merged

Move SBOM file out of dist/ before PyPI upload #162

jacksonpradolima merged 2 commits into from
Jan 1, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 1, 2026
edited
Loading

PyPI rejects sbom.json with InvalidDistribution: Unknown distribution format. The SBOM file was being generated in dist/ and included in the PyPI upload, but PyPI only accepts .whl and .tar.gz files.

Changes

  • Move sbom.json to attestations/ directory before PyPI publish step (alongside existing Sigstore attestation files)
  • Update GitHub release upload to reference attestations/sbom.json instead of dist/sbom.json
- name: Move Sigstore attestations and SBOM out of dist
  run: |
    mkdir -p attestations
    if ls dist/*.sigstore.json 1> /dev/null 2>&1; then
      mv dist/*.sigstore.json attestations/
    fi
    if [ -f dist/sbom.json ]; then
      mv dist/sbom.json attestations/
    fi

Result: Only .whl and .tar.gz files remain in dist/ for PyPI upload. SBOM still included in GitHub releases.

Original prompt

#161 was incomplete, see the last error:
Status: Downloaded newer image for ghcr.io/pypa/gh-action-pypi-publish:v1.13.0
Checking dist/gsppy-3.2.6-py3-none-any.whl: PASSED
Checking dist/gsppy-3.2.6.tar.gz: PASSED
Checking dist/sbom.json: ERROR InvalidDistribution: Unknown distribution format: 'sbom.json'

Fix to guarantee only the right files are uploaded

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@jacksonpradolima
Move SBOM file out of dist directory before PyPI upload
a399c67 
This fix ensures that only .whl and .tar.gz files remain in the dist/
directory when uploading to PyPI, preventing the InvalidDistribution error
for sbom.json. The SBOM file is now moved to the attestations/ directory
along with Sigstore attestation files, and uploaded to GitHub releases from there.

Co-authored-by: jacksonpradolima <[email protected]>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 1, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] Fix upload validation for distribution files Move SBOM file out of dist/ before PyPI upload Jan 1, 2026
Copilot AI requested a review from jacksonpradolima January 1, 2026 18:40
@jacksonpradolima jacksonpradolima marked this pull request as ready for review January 1, 2026 18:49
Copilot AI review requested due to automatic review settings January 1, 2026 18:49
@jacksonpradolima jacksonpradolima merged commit 26dc9bf into master Jan 1, 2026
10 of 14 checks passed
@jacksonpradolima jacksonpradolima deleted the copilot/fix-upload-file-validation branch January 1, 2026 18:49
Copilot AI reviewed Jan 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a PyPI upload failure by ensuring only .whl and .tar.gz files remain in the dist/ directory. PyPI was rejecting sbom.json with an InvalidDistribution: Unknown distribution format error. The fix moves the SBOM file to an attestations/ directory before the PyPI publish step, mirroring the existing approach for Sigstore attestation files.

Key changes:

  • Move sbom.json from dist/ to attestations/ directory before PyPI upload
  • Update GitHub release asset path to reference attestations/sbom.json

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jacksonpradolima jacksonpradolima Awaiting requested review from jacksonpradolima jacksonpradolima is a code owner

Assignees

@jacksonpradolima jacksonpradolima

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksonpradolima