From a9fe112a9fee9b36c9fe35b17884cfebce326db0 Mon Sep 17 00:00:00 2001
From: James Williams <29534093+williajm@users.noreply.github.com>
Date: Sat, 18 Apr 2026 00:08:06 +0100
Subject: [PATCH] fix(release): exclude SBOM artifact from dist/ so twine check
 passes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The v0.4.0 release workflow failed at the Publish step because twine
rejected sbom.cdx.json as an InvalidDistribution. The first download
step used `merge-multiple: true` with no filter, which pulled every
workflow artifact — including the SBOM — into dist/. pypa/gh-action-pypi-publish
v1.13.0 then ran twine against dist/* and choked on the JSON file:

    Checking dist/sbom.cdx.json: ERROR InvalidDistribution:
    Unknown distribution format: 'sbom.cdx.json'

Fix: replace the single "download all" step with three targeted steps.
Wheels (pattern wheels-*) and sdist (name: sdist) land in dist/; the
SBOM (name: sbom, no path) lands in the workflow root where the later
`gh release upload` step already expects it. twine now only sees valid
distribution files.

Noticed on PR #48's v0.4.0 release run; nothing ever made it to PyPI
and the GitHub release assets never populated. Re-tagging v0.4.0 after
this merges will go through cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ce20ae7..b367bb9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -102,16 +102,27 @@ jobs:
       contents: write
 
     steps:
-      - name: Download all artifacts
+      # Download only distribution artifacts (wheels + sdist) into dist/.
+      # The SBOM is downloaded separately below so it never lands in dist/,
+      # otherwise twine rejects it as `InvalidDistribution` during publish.
+      - name: Download wheel artifacts
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
+          pattern: wheels-*
           path: dist
           merge-multiple: true
 
+      - name: Download sdist artifact
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+        with:
+          name: sdist
+          path: dist
+
       - name: Download SBOM
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: sbom
+          # No `path:` — lands in the workflow root, not dist/.
 
       - name: Generate SHA256 checksums
         run: |