Skip to content

fix(release): exclude SBOM from dist/ so twine check passes#49

Merged
williajm merged 1 commit intomainfrom
fix/release-sbom-excluded-from-twine-check
Apr 17, 2026
Merged

fix(release): exclude SBOM from dist/ so twine check passes#49
williajm merged 1 commit intomainfrom
fix/release-sbom-excluded-from-twine-check

Conversation

@williajm
Copy link
Copy Markdown
Owner

@williajm williajm commented Apr 17, 2026

Summary

  • The v0.4.0 release workflow failed because twine rejected `sbom.cdx.json` as an `InvalidDistribution`. The single "Download all artifacts" step used `merge-multiple: true` with no filter, which pulled the SBOM artifact into `dist/` alongside the wheels. `pypa/gh-action-pypi-publish` v1.13.0 then ran twine against `dist/*` and failed:
    ```
    Checking dist/sbom.cdx.json: ERROR InvalidDistribution: Unknown distribution format: 'sbom.cdx.json'
    ```
  • Nothing made it to PyPI and the GitHub release assets never populated.

Fix

Replace the single "download all" step with three targeted downloads:

  • Wheels (`pattern: wheels-*`) → `dist/`
  • sdist (`name: sdist`) → `dist/`
  • SBOM (`name: sbom`, no `path:`) → workflow root (where the later `gh release upload` already expects it)

twine only sees valid distribution files; the SBOM still gets uploaded to the GitHub release by the existing step.

Context

Broken on v0.4.0 — see failed run. Once this merges I'll delete the stale `v0.4.0` tag + release and re-tag at the new main HEAD so the release workflow runs cleanly against the fixed file.

Test plan

  • CI passes on this branch
  • After merge + re-tag: publish step reaches twine check, passes, uploads to PyPI
  • Post-merge verify: `forgery` 0.4.0 appears on PyPI; v0.4.0 release page shows `sbom.cdx.json` and `SHA256SUMS.txt` as attached assets

🤖 Generated with Claude Code

@williajm @claude
fix(release): exclude SBOM artifact from dist/ so twine check passes
a9fe112 
The v0.4.0 release workflow failed at the Publish step because twine
rejected sbom.cdx.json as an InvalidDistribution. The first download
step used `merge-multiple: true` with no filter, which pulled every
workflow artifact — including the SBOM — into dist/. pypa/gh-action-pypi-publish
v1.13.0 then ran twine against dist/* and choked on the JSON file:

    Checking dist/sbom.cdx.json: ERROR InvalidDistribution:
    Unknown distribution format: 'sbom.cdx.json'

Fix: replace the single "download all" step with three targeted steps.
Wheels (pattern wheels-*) and sdist (name: sdist) land in dist/; the
SBOM (name: sbom, no path) lands in the workflow root where the later
`gh release upload` step already expects it. twine now only sees valid
distribution files.

Noticed on PR #48's v0.4.0 release run; nothing ever made it to PyPI
and the GitHub release assets never populated. Re-tagging v0.4.0 after
this merges will go through cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@williajm williajm merged commit 695d45a into main Apr 17, 2026
10 checks passed
@williajm williajm deleted the fix/release-sbom-excluded-from-twine-check branch April 17, 2026 23:10
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 17, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@williajm