Add component id arg to action and include component ID in api url#1
Merged
Merged
Conversation
vpetersson
approved these changes
Sep 4, 2024
vpetersson
added a commit
that referenced
this pull request
May 29, 2026
Fifteen correctness, integration, and UX fixes from the extra-high-effort code review on this branch: #1 ci_emitter: disambiguate output_file when two PlannedComponents slugify to the same name (one matrix job's SBOM was clobbering another's on disk). #2 _paginate: stop on missing 'next' / single-page envelopes instead of looping to MAX_PAGES=500 and raising APIError. #3 _paginate: don't yield the envelope dict as an item when 'items' is missing — poisoned list_components_by_name into a flood of duplicate creates. #4 Make component_type required on SbomifyApiClient; yocto facade and wizard apply explicitly pass 'sbom' (the historical Yocto type that the new client's 'bom' default was silently changing). #5 Track was_created through apply so DUPLICATE_NAME-recovered components render as reused on the Done screen instead of "created". #6 Tighten _OWNER_REPO_RE to require github.com; nested GitLab / Gitea / Bitbucket URLs no longer extract a wrong owner/repo slug into Done-screen OIDC binding instructions. #7 DISCOVERY_CAP now counts unique directories, not raw matches — monorepos with several lockfiles per dir aren't truncated below 200 projects. #8 Resolve apply-log widget on the main thread and hop RichLog.write back via app.call_from_thread; Textual widgets aren't thread-safe. #9 attach_components_to_product failure is now surfaced as a red "Attach failed" row on the Done screen instead of a warning that scrolls past. #10 patch_component_visibility catches AuthError and logs warning, restoring the best-effort semantics yocto pipelines depend on. #11 Upload destination catches AuthError separately and tags UploadResult.error_code='AUTH_FAILED' so CI summaries can still distinguish auth failures from other 4xx. #12 list_contact_profiles paginates instead of single-shot truncating at 100 profiles. #13 _fetch_releases paginates so create_release's DUPLICATE_NAME recovery can reach existing releases on page 2+ of busy products. #14 Submit all three auth-prefetch futures before collecting .result() so the ThreadPoolExecutor actually parallelises the products/components/profiles fetch. #15 Welcome's Cancel button and empty-state path call exit() directly instead of action_quit_with_cancel — the double-tap confirmation is right for Ctrl-C but wrong for an explicit button click. Test, lint, type, and format gates all pass (2281 passed, 4 skipped). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
vpetersson
added a commit
that referenced
this pull request
May 29, 2026
Fifteen wizard correctness + integration fixes from the latest extra-high-effort code review: #1 io.write_sbomify_json: sentinel + ownership check, mirrors the workflow file's WIZARD_HEADER_SENTINEL. Refuses to overwrite a pre-existing sbomify.json that lacks the __sbomify_wizard__ key. Protects users carrying over a hand-crafted sbomify.json (full licenses / multi-entity suppliers / vcs_* overrides) against silent clobber. #2 ConfigureSbomScreen: when toggling to aug-profile, default picker.highlighted to the first REAL profile when one exists (not the + Create new sentinel). Workspaces with existing profiles can now single-Enter to advance with the most-likely selection. #3 ConfigureSbomScreen: detect Escape from ConfigureSbomifyJson screen via _json_form_visited flag; flip augmentation back to Skip + notify. Breaks the Enter→Escape→Enter form re-push loop. #4 CreateProfileScreen: distinguish dict-without-id from error string. A successful POST whose body the client can't parse now surfaces "Profile may have been created but the response was unexpected. Check the sbomify UI before re-submitting" — no more confusing "✗ {}" + duplicate-POST trap. #5/#6 Authenticate worker picks the user's DEFAULT workspace via is_default_team / is_me — same signal the backend uses to scope list_components / list_products. Multi-workspace PATs no longer silently bind a profile to components in a different workspace. Helper _pick_default_workspace_key is unit-tested. #7 Review _summary escapes profile / supplier / product names through rich.markup.escape so names containing '[' don't crash Rich render or emit garbled output at the about-to-apply moment. #8 ConfigureSbomScreen.on_screen_resume snapshots picker.highlighted BEFORE clear_options() and restores it after add_options() when no fresh auto-select target is set. Cancelled CreateProfile no longer silently downgrades augmentation to "skip". #9 on_radio_set_changed None-guards event.pressed — programmatic RadioButton.value loops in on_screen_resume / _populate_from fire Changed events with possible intermediate None state. Same fragile pattern guarded across ConfigureSbom and ConfigureSbomifyJsonScreen. #10 ConfigureSbomifyJsonScreen._populate_from narrows the lifecycle-restore except clause to NoMatches — real radio iteration bugs now fail loud in tests instead of leaving the wrong phase silently selected. #11 list_workspaces docstring records the trailing-slash rules (verified against stage): /workspaces/ requires the slash; nested /workspaces/{key}/contact-profiles must NOT have one. Future maintainers stop trying to "normalise" the URLs. #12 list_workspaces now accepts both bare-list AND paginated envelope shapes, matching every other list endpoint. Protects against a backend migration silently returning [] and breaking team_key resolution. #13 Deleted dead on_input_submitted handlers in CreateProfile + ConfigureSbomifyJson — they were unreachable due to the screens' priority=True Enter binding. #14 test_plan_defaults pins sbomify_json_data is None AND contact_profile_id is None — regression guard so flipping either to a default_factory dict can't silently produce the data-loss / cross-workspace-bind bugs above. #15 WorkspaceSnapshot.team_key docstring + styles.tcss comment updated to reflect /workspaces/ route + ConfigureSbom owner (both still said /teams/ and ConfigureWorkflow respectively). Adds eight new tests in tests/test_wizard_state.py covering write_sbomify_json create / overwrite / refuse-handauthored / refuse-malformed, the sentinel helper, and _pick_default_workspace_key. All gates clean: 2295 passed, ruff + ruff-format + mypy clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
vpetersson
pushed a commit
that referenced
this pull request
Jun 2, 2026
The wizard emits an OIDC workflow but the trust binding still had to be created by hand in the sbomify UI — the #1 reason a first OIDC publish 403s. Register it automatically during apply instead, using the new binding-management API. * SbomifyApiClient.create_oidc_binding(component_id, repository) — POSTs to /api/v1/auth/oidc/github/bindings. Idempotent: 409 (already bound) is success; 400/404/5xx raise APIError. * apply_plan: new best-effort step (oidc mode only) that registers a binding per applied component. Never fatal — per-component failures are warnings; skipped with a clear note for private repos (backend can't resolve private GitHub IDs yet) and when no owner/repo slug is known. * Done screen: shows a '✓ trusted publishing is set up' panel on success, or falls back to the manual instructions (prefixed with the reason) when auto-registration was skipped/failed. 12 new tests (client 201/409/error, apply per-component/token-skip/ 409-counts/failure-is-warning/private-skip/no-slug, done rendering). Full suite: 2329 passed. Depends on the main-app binding API (sbomify/sbomify#988).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.