Skip to content

MCOP Framework v2.2.1 — SBOM Re-Anchor

Choose a tag to compare

View all tags
@Kuonirad Kuonirad released this 30 Apr 11:57
· 261 commits to main since this release
Immutable release. Only release title and notes can be modified.
v2.2.1
ed086a1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v2.2.1 — SBOM Re-Anchor Patch (operational, no code changes)

This is an operational patch only. There are no functional changes from v2.2.0. v2.2.1 exists solely to re-anchor the v2.2.0 release on a fresh GitHub Release page that has the CycloneDX SBOMs attached as downloadable assets.

What's attached

  • mcop-framework.cdx.json — CycloneDX 1.7 SBOM for the framework workspace, generated by pnpm sbom. Validated against the official CycloneDX JSON schema via pnpm sbom:validate.
  • mcop-core.cdx.json — CycloneDX 1.7 SBOM for @kullailabs/mcop-core. Validated against the official CycloneDX JSON schema.

Both SBOMs describe the v2.2.0 codebase (the v2.2.0 → v2.2.1 commit diff is a CHANGELOG entry plus this release-notes document only — zero source/dependency changes).

Why this release exists

During the v2.2.0 release sequence, the post-publish step that attaches CycloneDX SBOMs to the GitHub Release page failed because GitHub's repo-wide Immutable Releases setting locks releases at publish time, blocking post-publish asset uploads.

We refactored publish-pypi.yml (#559) to a draft-then-publish flow so future releases attach SBOMs at creation time, before the immutability lock takes effect.

To recover the existing v2.2.0 Release, we deleted it and tried to re-create it with SBOMs attached. GitHub's API rejected the re-creation:

422 Validation Failed
{"resource": "Release", "code": "custom", "field": "tag_name",
 "message": "tag_name was used by an immutable release"}

This block is permanent — once a tag has been used by an immutable release, no future release object can ever re-bind to that tag, even after the original release is deleted. v2.2.1 is the resulting workaround: a fresh tag bound to a no-op CHANGELOG-only commit, with both SBOMs attached at Release creation time using the new draft → publish flow.

What's not in this release

  • No code changes. No registry version bumps.
  • @kullailabs/mcop-core@0.2.0 (npm — pending Trusted Publisher fix) and mcop@3.2.0 (PyPI — live at https://pypi.org/project/mcop/3.2.0/) remain the canonical 2026-04-30 framework deliverables.
  • No re-publishing of any artefact to npm or PyPI.

Canonical references

Assets 5
Loading