Releases: 0disoft/ai-bom-generator
Release list
AI-BOM Generator v0.2.1
Highlights
- Restores the canonical Apache License 2.0 text for reliable SPDX detection.
- Enables GitHub-enforced immutable releases and verifies immutability for future tags.
- Separates mutable
v0and exact-version external consumer smoke workflows. - Expands caller-setup-free Action coverage across Ubuntu, macOS, and Windows.
- Adds CodeQL, private vulnerability reporting guidance, and grouped Dependabot updates.
- Hardens release verification against PyPI propagation lag and malformed external smoke evidence.
Validation
- 128 unit and contract tests
- wheel and source distribution verification
- Ubuntu, macOS, and Windows managed-runtime smoke
- external exact
v0.2.1and mutablev0consumer smoke - CodeQL and PyPI Trusted Publishing with attestations
v0.2.0
Highlights
- Parse explicitly declared
uv.lockand requirements files into CycloneDX and SPDX dependency components. - Add bounded reads, warning-backed partial parsing, and ML ecosystem compatibility fixtures.
- Make the GitHub Action prepare pinned Python 3.12 and uv 0.11.28 without caller-side runtime setup.
- Bind post-release verification to the external smoke run's exact workflow commit and immutable Action ref.
Runtime boundaries
Dependency collection remains config-driven and offline. The Action may download only its pinned toolchain and locked project dependencies, keeps runtime state under RUNNER_TEMP, and does not resolve or mutate the caller project.
Rollback
Immutable tag v0.2.0 will not be retargeted. If a defect is found, keep exact users pinned and publish a corrected patch release before advancing mutable v0 again.
v0.1.4
Highlights
- Adds config-only opt-in artifact discovery with bounded model-file patterns and safe default excludes.
- Adds stricter provider-token and key-aware redaction plus artifact hashing and glob-budget hardening.
- Adds target-root config discovery and installed CLI version reporting.
- Adds the partial SPDX 3.0.1 AI Profile preview exporter with explicit unsupported-field notes and deterministic output.
- Keeps the CycloneDX JSON 1.7 and GitHub Action contracts backward compatible.
Validation
- Python 3.12 compile, Ruff, 93 unit and contract tests, wheel verification, GitHub Action wrapper smoke, and CLI fixture smoke passed locally.
- Hosted CI passed for the release commit.
Rollback
The immutable v0.1.4 tag will not be moved or deleted. Consumers can pin the prior v0.1.2 action tag or ai-bom-generator==0.1.2 while a corrective patch is prepared.
v0.1.2
Release v0.1.2.\n\n- Publishes ai-bom-generator to PyPI through Trusted Publishing.\n- Adds the PyPI publish workflow and validates package distributions before upload.\n- Keeps immutable GitHub Action patch tag usage for v0.1.2.\n\nValidation:\n- Publish PyPI workflow passed: https://github.com/0disoft/ai-bom-generator/actions/runs/28930381437\n- Package artifacts are available on PyPI for ai-bom-generator 0.1.2.
v0.1.1
Patch release for the local AI/ML BOM CLI and composite GitHub Action.
Highlights:
- Adds manifest-gated output-set writes and stale/partial output cleanup from the preceding hardening commits.
- Adds Ruff lint validation in CI and local validation docs.
- Preserves CLI/config precedence when GitHub Action inputs omit format or warning policy.
- Applies recursive artifact exclude globs before hashing, including
.gitand__pycache__subtrees selected by broad include patterns. - Expands strict redaction coverage for common AWS, Slack, GitLab, Google API key, Bearer, and JWT-shaped values.
- Reports blank dataset
license_declaredvalues as missing license warnings. - Caps Git metadata reads so oversized packed refs resolve as warnings instead of unbounded reads.
Deferred:
- PyPI publishing remains deferred until package-registry policy is approved.
- Mutable major action tags such as
v0remain deferred. - GitHub Marketplace registration remains deferred.
Validation:
- Local validation passed:
uv sync --locked, compileall, Ruff, unittest,uv build, wheel verification, GitHub Action wrapper verification, CLI smoke, andgit diff --check. - GitHub Actions passed on commit
82e6534: CI run28926353328and Dependency Graph run28926356278.
v0.1.0
First public MVP release.
Highlights:
- Adds the
ai-bom generateCLI for local AI/ML BOM generation. - Exports CycloneDX JSON 1.7 and validates generated BOMs against the packaged schema.
- Reads explicit
aibom.tomlconfig files with config schema v1 validation. - Collects declared model metadata, in-root
MODEL_CARD.mdpaths, selected artifact digests, dependency references, dataset references, prompt references, eval references, training references, and local Git commit evidence. - Emits machine-readable warning reports and JSON summaries.
- Defaults to strict redaction for generated output and terminal errors.
- Rejects unsafe target-root escapes, symlink escapes, overlapping output paths, directory output paths, and invalid artifact globs.
- Provides a composite GitHub Action wrapper around the CLI.
Deferred:
- PyPI publishing.
- Mutable major action tags such as
v0. - GitHub Marketplace registration.
- Automatic config, artifact, and lockfile discovery.
- SPDX AI exporter.
Validation:
- Local standard validation passed before tagging.
- GitHub Actions CI passed on commit
56c2fd9.