fixing SBOM #40
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & publish to PyPI | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - "python-sdk/exospherehost/_version.py" | |
| - ".github/workflows/publish-python-sdk.yml" | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install uv | |
| uses: astral-sh/setup-uv@v6 | |
| - name: Install dev dependencies with uv | |
| working-directory: python-sdk | |
| run: | | |
| uv sync --group dev | |
| - name: Install python-sdk package (editable) | |
| working-directory: python-sdk | |
| run: | | |
| uv pip install -e . | |
| - name: Run tests with pytest and coverage | |
| working-directory: python-sdk | |
| run: | | |
| uv run pytest --cov=exospherehost --cov-report=xml --cov-report=term-missing -v --junitxml=pytest-report.xml | |
| - name: Upload coverage reports to Codecov | |
| uses: codecov/codecov-action@v5 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| slug: exospherehost/exospherehost | |
| files: python-sdk/coverage.xml | |
| flags: python-sdk-unittests | |
| name: python-sdk-coverage-report | |
| fail_ci_if_error: true | |
| - name: Upload test results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: python-sdk-test-results | |
| path: python-sdk/pytest-report.xml | |
| retention-days: 30 | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: test | |
| defaults: | |
| run: | |
| working-directory: python-sdk | |
| if: github.repository == 'exospherehost/exospherehost' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: astral-sh/setup-uv@v6 | |
| name: Install uv | |
| - run: uv python install | |
| - run: uv sync --locked --dev | |
| - name: Check version for beta indicator | |
| run: | | |
| uv run python -c " | |
| import sys | |
| sys.path.append('.') | |
| from exospherehost._version import version | |
| if 'b' not in version: | |
| print(f'ERROR: Version {version} does not contain beta indicator (b). Major releases are only allowed through GitHub releases.') | |
| sys.exit(1) | |
| print(f'Version {version} is valid for PyPI publishing (contains beta indicator)') | |
| " | |
| - name: Generate requirements file for SBOM | |
| run: | | |
| # Try to use uv to export only production dependencies without the current package | |
| # Use --no-dev to exclude dev dependencies and generate a clean requirements file | |
| uv export --locked --no-dev --format=requirements-txt --output-file=requirements-full.txt | |
| # Debug: Show what's in the requirements file | |
| echo "Contents of requirements-full.txt:" | |
| cat requirements-full.txt | |
| # Filter out any editable local package references | |
| # This handles: -e ., -e ./, -e ../, -e file://..., file://... etc. | |
| grep -v -E '^-e\s+\.$|^-e\s+\.\/$|^-e\s+\.\.\/$|^-e\s+file:|^file:' requirements-full.txt > requirements.txt || echo "# No dependencies after filtering" > requirements.txt | |
| echo "Contents of filtered requirements.txt:" | |
| cat requirements.txt | |
| echo "Generated requirements.txt for SBOM creation from lockfile (excluding editable local package)" | |
| - name: Install SBOM generation tools | |
| run: | | |
| uv tool install cyclonedx-bom | |
| echo "Installed cyclonedx-bom version:" | |
| uv tool run --from cyclonedx-bom cyclonedx-py --version | |
| uv tool install pip-audit | |
| echo "Installed pip-audit version:" | |
| uv tool run pip-audit --version | |
| - name: Generate SBOM with CycloneDX | |
| run: | | |
| uv tool run --from cyclonedx-bom cyclonedx-py requirements --of json --output-file sbom-cyclonedx.json requirements.txt | |
| echo "Generated CycloneDX SBOM in JSON format" | |
| - name: Generate vulnerability report with pip-audit | |
| run: | | |
| uv tool run pip-audit --format json --output vulnerability-report.json --requirement requirements.txt || true | |
| echo "Generated vulnerability report (non-blocking)" | |
| - run: uv build --no-source | |
| - name: Sign the package | |
| run: | | |
| uv pip install -U pypi-attestations | |
| uv run pypi_attestations sign dist/* | |
| - name: Publish to PyPI with provenance | |
| run: | | |
| uv pip install -U twine | |
| uv run twine upload --attestations dist/* | |
| - name: Upload SBOM artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom-artifacts-beta-${{ github.sha }} | |
| path: | | |
| python-sdk/sbom-cyclonedx.json | |
| python-sdk/requirements.txt | |
| python-sdk/vulnerability-report.json | |
| retention-days: 30 |