Enhance CI workflows for SBOM generation and update version in _version.py

NiveditJain · NiveditJain · commit 4983255b4120 · 2025-09-04T18:11:10.000+05:30
- Updated publish-python-sdk.yml and release-python-sdk.yml to generate a requirements.txt file that excludes editable local package references and includes only production dependencies.
- Improved SBOM generation steps to output both JSON and XML formats.
- Adjusted commands for tool version checks to ensure correct execution.
- Bumped version in _version.py from 0.0.2b7 to 0.0.2b8.
diff --git a/.github/workflows/publish-python-sdk.yml b/.github/workflows/publish-python-sdk.yml
@@ -92,21 +92,31 @@ jobs:
 
       - name: Generate requirements file for SBOM
         run: |
-          uv export --locked --format=requirements-txt --output-file=requirements.txt
-          echo "Generated requirements.txt for SBOM creation from lockfile"
+          # Try to use uv to export only production dependencies without the current package
+          # Use --no-dev to exclude dev dependencies and generate a clean requirements file
+          uv export --locked --no-dev --format=requirements-txt --output-file=requirements-full.txt
+          # Debug: Show what's in the requirements file
+          echo "Contents of requirements-full.txt:"
+          cat requirements-full.txt
+          # Filter out any editable local package references
+          # This handles: -e ., -e ./, -e ../, -e file://..., file://... etc.
+          grep -v -E '^-e\s+\.$|^-e\s+\.\/$|^-e\s+\.\.\/$|^-e\s+file:|^file:' requirements-full.txt > requirements.txt || echo "# No dependencies after filtering" > requirements.txt
+          echo "Contents of filtered requirements.txt:"
+          cat requirements.txt
+          echo "Generated requirements.txt for SBOM creation from lockfile (excluding editable local package)"
 
       - name: Install SBOM generation tools
         run: |
           uv tool install cyclonedx-bom
           echo "Installed cyclonedx-bom version:"
-          uv tool run cyclonedx-py --version
+          uv tool run --from cyclonedx-bom cyclonedx-py --version
           uv tool install pip-audit
           echo "Installed pip-audit version:"
           uv tool run pip-audit --version
 
       - name: Generate SBOM with CycloneDX
         run: |
-          uv tool run cyclonedx-py requirements --format json --output-file sbom-cyclonedx.json requirements.txt
+          uv tool run --from cyclonedx-bom cyclonedx-py requirements --of json --output-file sbom-cyclonedx.json requirements.txt
           echo "Generated CycloneDX SBOM in JSON format"
 
       - name: Generate vulnerability report with pip-audit
diff --git a/.github/workflows/release-python-sdk.yml b/.github/workflows/release-python-sdk.yml
@@ -124,22 +124,32 @@ jobs:
 
       - name: Generate requirements file for SBOM
         run: |
-          uv export --locked --format=requirements-txt --output-file=requirements.txt
-          echo "Generated requirements.txt for SBOM creation from lockfile"
+          # Try to use uv to export only production dependencies without the current package
+          # Use --no-dev to exclude dev dependencies and generate a clean requirements file
+          uv export --locked --no-dev --format=requirements-txt --output-file=requirements-full.txt
+          # Debug: Show what's in the requirements file
+          echo "Contents of requirements-full.txt:"
+          cat requirements-full.txt
+          # Filter out any editable local package references
+          # This handles: -e ., -e ./, -e ../, -e file://..., file://... etc.
+          grep -v -E '^-e\s+\.$|^-e\s+\.\/$|^-e\s+\.\.\/$|^-e\s+file:|^file:' requirements-full.txt > requirements.txt || echo "# No dependencies after filtering" > requirements.txt
+          echo "Contents of filtered requirements.txt:"
+          cat requirements.txt
+          echo "Generated requirements.txt for SBOM creation from lockfile (excluding editable local package)"
 
       - name: Install SBOM generation tools
         run: |
           uv tool install cyclonedx-bom
           echo "Installed cyclonedx-bom version:"
-          uv tool run cyclonedx-py --version
+          uv tool run --from cyclonedx-bom cyclonedx-py --version
           uv tool install pip-audit
           echo "Installed pip-audit version:"
           uv tool run pip-audit --version
 
       - name: Generate SBOM with CycloneDX
         run: |
-          uv tool run cyclonedx-py requirements --format json --output-file sbom-cyclonedx.json requirements.txt
-          uv tool run cyclonedx-py requirements --format xml --output-file sbom-cyclonedx.xml requirements.txt
+          uv tool run --from cyclonedx-bom cyclonedx-py requirements --of json --output-file sbom-cyclonedx.json requirements.txt
+          uv tool run --from cyclonedx-bom cyclonedx-py requirements --of xml --output-file sbom-cyclonedx.xml requirements.txt
           echo "Generated CycloneDX SBOM in JSON and XML formats"
 
       - name: Generate vulnerability report with pip-audit
diff --git a/python-sdk/exospherehost/_version.py b/python-sdk/exospherehost/_version.py
@@ -1 +1 @@
-version = "0.0.2b7"
+version = "0.0.2b8"

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-version = "0.0.2b7"`
	`1`	`+version = "0.0.2b8"`