Skip to content

Releases: 0disoft/ai-bom-generator

AI-BOM Generator v0.2.1

Choose a tag to compare

@0disoft 0disoft released this 11 Jul 11:24
Immutable release. Only release title and notes can be modified.

Highlights

  • Restores the canonical Apache License 2.0 text for reliable SPDX detection.
  • Enables GitHub-enforced immutable releases and verifies immutability for future tags.
  • Separates mutable v0 and exact-version external consumer smoke workflows.
  • Expands caller-setup-free Action coverage across Ubuntu, macOS, and Windows.
  • Adds CodeQL, private vulnerability reporting guidance, and grouped Dependabot updates.
  • Hardens release verification against PyPI propagation lag and malformed external smoke evidence.

Validation

  • 128 unit and contract tests
  • wheel and source distribution verification
  • Ubuntu, macOS, and Windows managed-runtime smoke
  • external exact v0.2.1 and mutable v0 consumer smoke
  • CodeQL and PyPI Trusted Publishing with attestations

v0.2.0

Choose a tag to compare

@0disoft 0disoft released this 11 Jul 07:16

Highlights

  • Parse explicitly declared uv.lock and requirements files into CycloneDX and SPDX dependency components.
  • Add bounded reads, warning-backed partial parsing, and ML ecosystem compatibility fixtures.
  • Make the GitHub Action prepare pinned Python 3.12 and uv 0.11.28 without caller-side runtime setup.
  • Bind post-release verification to the external smoke run's exact workflow commit and immutable Action ref.

Runtime boundaries

Dependency collection remains config-driven and offline. The Action may download only its pinned toolchain and locked project dependencies, keeps runtime state under RUNNER_TEMP, and does not resolve or mutate the caller project.

Rollback

Immutable tag v0.2.0 will not be retargeted. If a defect is found, keep exact users pinned and publish a corrected patch release before advancing mutable v0 again.

v0.1.4

Choose a tag to compare

@0disoft 0disoft released this 10 Jul 13:04

Highlights

  • Adds config-only opt-in artifact discovery with bounded model-file patterns and safe default excludes.
  • Adds stricter provider-token and key-aware redaction plus artifact hashing and glob-budget hardening.
  • Adds target-root config discovery and installed CLI version reporting.
  • Adds the partial SPDX 3.0.1 AI Profile preview exporter with explicit unsupported-field notes and deterministic output.
  • Keeps the CycloneDX JSON 1.7 and GitHub Action contracts backward compatible.

Validation

  • Python 3.12 compile, Ruff, 93 unit and contract tests, wheel verification, GitHub Action wrapper smoke, and CLI fixture smoke passed locally.
  • Hosted CI passed for the release commit.

Rollback

The immutable v0.1.4 tag will not be moved or deleted. Consumers can pin the prior v0.1.2 action tag or ai-bom-generator==0.1.2 while a corrective patch is prepared.

v0.1.2

Choose a tag to compare

@0disoft 0disoft released this 08 Jul 09:19

Release v0.1.2.\n\n- Publishes ai-bom-generator to PyPI through Trusted Publishing.\n- Adds the PyPI publish workflow and validates package distributions before upload.\n- Keeps immutable GitHub Action patch tag usage for v0.1.2.\n\nValidation:\n- Publish PyPI workflow passed: https://github.com/0disoft/ai-bom-generator/actions/runs/28930381437\n- Package artifacts are available on PyPI for ai-bom-generator 0.1.2.

v0.1.1

Choose a tag to compare

@0disoft 0disoft released this 08 Jul 07:47

Patch release for the local AI/ML BOM CLI and composite GitHub Action.

Highlights:

  • Adds manifest-gated output-set writes and stale/partial output cleanup from the preceding hardening commits.
  • Adds Ruff lint validation in CI and local validation docs.
  • Preserves CLI/config precedence when GitHub Action inputs omit format or warning policy.
  • Applies recursive artifact exclude globs before hashing, including .git and __pycache__ subtrees selected by broad include patterns.
  • Expands strict redaction coverage for common AWS, Slack, GitLab, Google API key, Bearer, and JWT-shaped values.
  • Reports blank dataset license_declared values as missing license warnings.
  • Caps Git metadata reads so oversized packed refs resolve as warnings instead of unbounded reads.

Deferred:

  • PyPI publishing remains deferred until package-registry policy is approved.
  • Mutable major action tags such as v0 remain deferred.
  • GitHub Marketplace registration remains deferred.

Validation:

  • Local validation passed: uv sync --locked, compileall, Ruff, unittest, uv build, wheel verification, GitHub Action wrapper verification, CLI smoke, and git diff --check.
  • GitHub Actions passed on commit 82e6534: CI run 28926353328 and Dependency Graph run 28926356278.

v0.1.0

Choose a tag to compare

@0disoft 0disoft released this 07 Jul 11:23

First public MVP release.

Highlights:

  • Adds the ai-bom generate CLI for local AI/ML BOM generation.
  • Exports CycloneDX JSON 1.7 and validates generated BOMs against the packaged schema.
  • Reads explicit aibom.toml config files with config schema v1 validation.
  • Collects declared model metadata, in-root MODEL_CARD.md paths, selected artifact digests, dependency references, dataset references, prompt references, eval references, training references, and local Git commit evidence.
  • Emits machine-readable warning reports and JSON summaries.
  • Defaults to strict redaction for generated output and terminal errors.
  • Rejects unsafe target-root escapes, symlink escapes, overlapping output paths, directory output paths, and invalid artifact globs.
  • Provides a composite GitHub Action wrapper around the CLI.

Deferred:

  • PyPI publishing.
  • Mutable major action tags such as v0.
  • GitHub Marketplace registration.
  • Automatic config, artifact, and lockfile discovery.
  • SPDX AI exporter.

Validation:

  • Local standard validation passed before tagging.
  • GitHub Actions CI passed on commit 56c2fd9.