Update publish.yml

[glenn-jocher]

🛠️ PR Summary

_{Made with ❤️ by Ultralytics Actions}

🌟 Summary

Refines the SBOM publishing workflow to use a dedicated virtual environment and editable install, improving reliability and clarity in the CI process. 🚀

📊 Key Changes

• Switches from uv sync to explicit steps:
  • Creates a dedicated virtual environment: uv venv sbom-env
  • Installs the package in editable mode: uv pip install -e .
• Replaces UV_PROJECT_ENVIRONMENT with VIRTUAL_ENV to target the new venv
• Keeps SBOM generation via Anchore action in SPDX JSON format

🎯 Purpose & Impact

• Enhances reproducibility and control over the environment used for SBOM generation ✅
• Reduces potential dependency resolution issues by using an explicit editable install 🧩
• Improves CI transparency and maintainability, leading to more reliable SBOMs for consumers and security tooling 🔐

[UltralyticsAssistant]

👋 Hello @glenn-jocher, thank you for submitting an ultralytics/thop 🚀 PR! This is an automated response — an Ultralytics engineer will review and assist you shortly. In the meantime, please review the checklist below to help streamline the merge process:

• ✅ Define a Purpose: Clearly explain the purpose of your fix or feature in your PR description, and link to any relevant issues at https://github.com/ultralytics/thop/issues. Ensure your commit messages are clear, concise, and adhere to the project's conventions.
• ✅ Synchronize with Source: Confirm your PR is synchronized with the ultralytics/thop main branch. If it's behind, update it by clicking the 'Update branch' button or by running git pull and git merge main locally.
• ✅ Ensure CI Checks Pass: Verify all Ultralytics Continuous Integration (CI) checks are passing at https://docs.ultralytics.com/help/CI/. If any checks fail, please address the issues.
• ✅ Update Documentation: Update the relevant documentation at https://docs.ultralytics.com/ for any new or modified features.
• ✅ Add Tests: If applicable, include or update tests to cover your changes, and confirm that all tests are passing.
• ✅ Sign the CLA: Please ensure you have signed our Contributor License Agreement at https://docs.ultralytics.com/help/CLA/ if this is your first Ultralytics PR by writing "I have read the CLA Document and I sign the CLA" in a new message.
• ✅ Minimize Changes: Limit your changes to the minimum necessary for your bug fix or feature addition. "It is not daily increase but daily decrease, hack away the unessential. The closer to the source, the less wastage there is." — Bruce Lee

If this PR addresses a bug and you haven’t included one yet, please add a Minimum Reproducible Example (MRE) showing:

• Exact steps and commands to reproduce
• Environment details (OS, Python version)
• Relevant code/config snippets

For more guidance, please refer to our Contributing Guide at https://docs.ultralytics.com/help/contributing/. Don’t hesitate to leave a comment if you have any questions. Thank you for contributing to Ultralytics! 🚀✨

[UltralyticsAssistant]

Merged with gratitude! Thank you, @glenn-jocher, for refining the SBOM workflow with a dedicated venv and editable install—this brings clarity, reproducibility, and stronger CI reliability for our consumers and security tooling. As Leonardo da Vinci said, “Simplicity is the ultimate sophistication.” Your changes embody that principle by making our process both cleaner and more dependable. Appreciate the thoughtful improvement and the continued momentum it gives the project. 🙌