v0.0.21 - Add automated SPDX SBOM generation to releases (#265)
π Summary
Automated, security-focused release: v0.0.21 adds SPDX SBOM generation and upload to every release, improves CI reliability and notifications, and updates the SDK version. ππ
π Key Changes
- Automated SBOM generation and release upload using Anchore (outputs sbom.spdx.json) π¦
- Isolated environment for accurate dependency capture during SBOM creation (uv-based) π§©
- Safer notifications by escaping quotes in PR titles to avoid shell/JSON issues π οΈ
- SDK version bumped to 0.0.21 π
- CI/Workflow upgrades:
- Updated actions: setup-uv v6, download-artifact v5, Slack action v2.1.1 β¬οΈ
- New permissions blocks for least-privilege security in workflows π
- Refined link-checking: simpler Lychee install, broader valid HTTP codes, proper headers, and fail-on-errors β
- Enhanced Ultralytics Actions workflow with AI-powered summaries, labels, and formatting for JSON/CSS π€
- Documentation cleanup and small polish in README and docstrings π§Ή
π― Purpose & Impact
- Strengthens supply chain transparency and compliance for enterprises by publishing an SPDX SBOM with every release π
- Improves CI stability and security with clearer permissions, robust notifications, and reliable link checks β
- Enhances developer experience via automated formatting, AI-powered PR summaries/labels, and modernized workflows βοΈ
- Minor docs and wording fixes contribute to a cleaner, more professional SDK experience π
What's Changed
- Fix Example: -> Examples: by @glenn-jocher in #251
- Ultralytics Refactor https://ultralytics.com/actions by @pderrenger in #252
- Update README.md by @glenn-jocher in #253
- Update links.yml by @glenn-jocher in #254
- Update links.yml by @glenn-jocher in #255
- Ultralytics Actions JSON, CSS and autolabel support by @glenn-jocher in #257
- Add Permissions to Ultralytics Actions
format.ymlby @glenn-jocher in #258 - Potential fix for code scanning alert no. 6: Workflow does not contain permissions by @glenn-jocher in #260
- Bump astral-sh/setup-uv from 5 to 6 in /.github/workflows by @dependabot[bot] in #256
- Bump slackapi/slack-github-action from 2.0.0 to 2.1.0 in /.github/workflows by @dependabot[bot] in #259
- Update links.yml by @glenn-jocher in #261
- Simplify lychee install in links.yml by @glenn-jocher in #263
- Bump slackapi/slack-github-action from 2.1.0 to 2.1.1 in /.github/workflows by @dependabot[bot] in #262
- Bump actions/download-artifact from 4 to 5 in /.github/workflows by @dependabot[bot] in #264
- Add automated SPDX SBOM generation to releases by @glenn-jocher in #265
Full Changelog: v0.0.20...v0.0.21
Contributors
glenn-jocher, dependabot, and pderrenger