Separate SBOM from dist/ so PyPI publish stops choking on it#149
Merged
Conversation
The 2.1.0 publish run failed because dist/bitmath-2.1.0.cdx.json was
bundled into the dist artifact uploaded to PyPI. twine globs every file
in packages-dir and rejected the SBOM with
"InvalidDistribution: Unknown distribution format". The prior comment
("Keep the SBOM out of the PyPI upload") captured the intent but the
implementation never separated the file.
Generate the SBOM into sbom/, upload it as its own artifact, download
it separately in the publish job, and attach it to the GitHub release
from there. dist/ now contains only wheels and sdists.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dist/bitmath-2.1.0.cdx.jsonwas bundled into the artifact uploaded to PyPI.twineglobs every file inpackages-dirand rejected the SBOM withInvalidDistribution: Unknown distribution format.sbom/, upload it as its own artifact, download it separately in the publish job, attach it to the GH release from there.dist/now contains only wheels and sdists.Test plan
2.1.1(or whatever next version) and create the release