fix(ci): use relative path for upload-artifact glob

[williaby]

Summary

upload-artifact@v4 requires a workspace-relative path. The absolute ${{ github.workspace }}/sbom-*.json introduced in #26 caused the upload to fail even though the file existed at that exact path — confirmed by the Verify step in run 24256290551:

GITHUB_WORKSPACE  : /home/runner/work/.claude/.claude
sbom-*.json files :
  354171  20 -rw-r--r-- 1 runner runner 17768 Apr 10 17:48
    /home/runner/work/.claude/.claude/sbom-runtime.json

path: /home/runner/work/.claude/.claude/sbom-*.json
##[error] No files were found with the provided path:
  /home/runner/work/.claude/.claude/sbom-*.json

The action resolves globs from $GITHUB_WORKSPACE by default, so the bare relative glob is correct.

Changes

• path: ${{ github.workspace }}/sbom-*.json → path: sbom-*.json

Testing

• Trigger the SBOM workflow and confirm upload succeeds
• Confirm scan-runtime and license-compliance jobs receive the artifact

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated artifact upload configuration in the build process.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ac4aa273-bc1e-4e06-8d72-aabcf0c8ab1c

📥 Commits

Reviewing files that changed from the base of the PR and between f61402a and 9808621.

📒 Files selected for processing (1)

• .github/workflows/python-sbom.yml

---

📝 Walkthrough

Walkthrough

The workflow configuration for SBOM artifact generation was updated to change the upload path from an absolute workspace reference to a relative glob pattern, affecting how files are matched during artifact upload.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/python-sbom.yml	Modified the artifact upload path from ${{ github.workspace }}/sbom-*.json (absolute) to sbom-*.json (relative glob), altering the file matching behavior.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix(ci): anchor SBOM output path to GITHUB_WORKSPACE #26: Directly modifies the same SBOM workflow upload-artifact path using an alternative absolute workspace reference approach.
• fix(ci): repair silent SBOM generation failure in python-sbom workflow #25: Updates the actions/upload-artifact step configuration in the same SBOM workflow file.

Poem

🐰 A humble hop through workflows so fine,
From absolute paths to relative lines,
The SBOM now dances with glob so bright,
One tiny change, but oh what a sight! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: switching to a relative path for the upload-artifact glob in CI configuration.
Description check	✅ Passed	The description provides clear context, explains the problem with the absolute path, documents the specific change, and lists testing steps, though the PR description template sections are not formally structured.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sbom-upload-relative-path

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}