Add SBOM to publish.yml (#25)

glenn-jocher · web-flow · commit f6540f5bc6ad · 2025-08-30T18:34:12.000+02:00
Signed-off-by: Glenn Jocher &lt;glenn.jocher@ultralytics.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -92,6 +92,32 @@ jobs:
           path: dist/
       - uses: pypa/gh-action-pypi-publish@release/v1
 
+  sbom:
+    needs: [check, build, publish]
+    if: needs.check.outputs.increment == 'True'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.x"
+      - uses: astral-sh/setup-uv@v6
+      - run: |
+          uv venv sbom-env
+          uv pip install -e .
+        env:
+          VIRTUAL_ENV: sbom-env
+      - uses: anchore/sbom-action@v0
+        with:
+          format: spdx-json
+          output-file: sbom.spdx.json
+          path: sbom-env
+      - run: gh release upload ${{ needs.check.outputs.current_tag }} sbom.spdx.json
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   notify:
     needs: [check, publish]
     if: always() && needs.check.outputs.increment == 'True'
@@ -104,7 +130,7 @@ jobs:
         run: |
           PR_JSON=$(gh pr list --search "${GITHUB_SHA}" --state merged --json number,title --jq '.[0]')
           PR_NUMBER=$(echo "${PR_JSON}" | jq -r '.number')
-          PR_TITLE=$(echo "${PR_JSON}" | jq -r '.title')
+          PR_TITLE=$(echo "${PR_JSON}" | jq -r '.title' | sed 's/"/\\"/g')
           echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}"
           echo "PR_TITLE=${PR_TITLE}" >> "${GITHUB_ENV}"
       - name: Notify Success
diff --git a/autoimport/__init__.py b/autoimport/__init__.py
@@ -3,4 +3,4 @@
 from autoimport.main import LazyLoader, lazy
 
 __all__ = ("LazyLoader", "lazy")
-__version__ = "0.0.3"
+__version__ = "0.0.4"
