From 8483eb6d824839ee293b558a72f4323e2cd4a328 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 20 Jan 2026 15:09:21 -0500 Subject: [PATCH 01/18] Use pyproject.toml instead of setup.py when generating cache keys setup.py no longer exists, but pyproject.toml has taken its place. --- .github/workflows/build.yml | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8d0e1c4..8593c68 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -126,14 +126,11 @@ jobs: packer${{ steps.setup-env.outputs.packer-version }}-\ tf${{ steps.setup-env.outputs.terraform-version }}- with: - # We do not use '**/setup.py' in the cache key so only the 'setup.py' - # file in the root of the repository is used. This is in case a Python - # package were to have a 'setup.py' as part of its internal codebase. key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ ${{ hashFiles('**/.pre-commit-config.yaml') }}-\ - ${{ hashFiles('setup.py') }} + ${{ hashFiles('pyproject.toml') }} # Note that the .terraform directory IS NOT included in the # cache because if we were caching, then we would need to use # the `-upgrade=true` option. This option blindly pulls down the @@ -263,13 +260,10 @@ jobs: py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} - # We do not use '**/setup.py' in the cache key so only the 'setup.py' - # file in the root of the repository is used. This is in case a Python - # package were to have a 'setup.py' as part of its internal codebase. key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements-test.txt') }}-\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }} + ${{ hashFiles('pyproject.toml') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install dependencies @@ -389,12 +383,9 @@ jobs: py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} - # We do not use '**/setup.py' in the cache key so only the 'setup.py' - # file in the root of the repository is used. This is in case a Python - # package were to have a 'setup.py' as part of its internal codebase. key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }} + ${{ hashFiles('pyproject.toml') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Install build dependencies @@ -475,12 +466,9 @@ jobs: py${{ steps.setup-python.outputs.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} - # We do not use '**/setup.py' in the cache key so only the 'setup.py' - # file in the root of the repository is used. This is in case a Python - # package were to have a 'setup.py' as part of its internal codebase. key: ${{ env.BASE_CACHE_KEY }}\ ${{ hashFiles('**/requirements.txt') }}-\ - ${{ hashFiles('setup.py') }} + ${{ hashFiles('pyproject.toml') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel From e5806d4f22660a896300f3cefcc3a7a4776e4304 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 20 Jan 2026 15:14:28 -0500 Subject: [PATCH 02/18] Add code to generate SBOMs and attach them to the release as assets --- .github/workflows/build.yml | 110 ++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8593c68..ae0e27f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -490,3 +490,113 @@ jobs: - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE + generate-sbom: + # Generate an SBOM for the Docker image and, if there is a + # release, upload it as an asset to the release. + # + # This job is located in this workflow as opposed to a separate + # release workflow because it can only run after the wheels have + # been generated in the build job. Putting it in a separate + # release workflow would require us to introduce a dependency of + # the release workflow on this one. + if: github.event_name != 'pull_request' + name: Generate and upload SBOM + needs: + - build + - diagnostics + permissions: + # Allows us to read the SBOM artifact + actions: read + artifact-metadata: write + attestations: write + # Allows us to add the SBOM to the release. Also, + # actions/checkout needs read permission to fetch code. + contents: write + # Allows the workflow to mint the OIDC token necessary to + # request a Sigstore signing certificate. + id-token: write + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + python-version: + - "3.10" + - "3.11" + - "3.12" + - "3.13" + - "3.14" + sbom-format: + - cyclonedx-json + - spdx-json + steps: + - name: Apply standard cisagov job preamble + uses: cisagov/action-job-preamble@v1 + with: + # This functionality is poorly implemented and has been + # causing problems due to the MITM implementation hogging or + # leaking memory. As a result we disable it by default. If + # you want to temporarily enable it, simply set + # monitor_permissions equal to "true". + # + # TODO: Re-enable this functionality when practical. See + # cisagov/skeleton-docker#224 for more details. + monitor_permissions: "false" + # Use a variable to specify the permissions monitoring + # configuration. By default this will yield the + # configuration stored in the cisagov organization-level + # variable, but if you want to use a different configuration + # then simply: + # 1. Create a repository-level variable with the name + # ACTIONS_PERMISSIONS_CONFIG. + # 2. Set this new variable's value to the configuration you + # want to use for this repository. + # + # Note in particular that changing the permissions + # monitoring configuration *does not* require you to modify + # this workflow. + permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }} + - id: setup-env + uses: cisagov/setup-env-github-action@v1 + - uses: actions/checkout@v6 + - id: setup-python + uses: actions/setup-python@v6 + with: + python-version: ${{ steps.setup-env.outputs.python-version }} + - uses: actions/cache@v4 + env: + BASE_CACHE_KEY: ${{ github.job }}-\ + ${{ runner.os }}-${{ runner.arch }}-\ + py${{ steps.setup-python.outputs.python-version }}- + with: + path: ${{ env.PIP_CACHE_DIR }} + key: ${{ env.BASE_CACHE_KEY }}\ + ${{ hashFiles('pyproject.toml') }} + restore-keys: | + ${{ env.BASE_CACHE_KEY }} + - name: Retrieve the built wheel + uses: actions/download-artifact@v7 + with: + name: dist-${{ matrix.python-version }} + path: dist + - id: find-wheel + name: Get the name of the retrieved wheel (there should only be one) + run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT + - name: Update core Python packages + run: python -m pip install --upgrade pip setuptools wheel + - name: Install pipenv + run: pip install --upgrade pipenv + - name: Install the built wheel into a Pipfile + run: pipenv install ${{ steps.find-wheel.outputs.wheel }} + - name: Lock the Pipfile + run: pipenv lock + - name: Gemerate SBOM + uses: anchore/sbom-action@v0 + with: + artifact-name: sbom.py${{ matrix.python-version }}.${{ matrix.sbom-format }} + file: Pipfile.lock + format: ${{ matrix.sbom-format }} + output-file: sbom.py${{ matrix.python-version }}.${{ matrix.sbom-format }} + - name: Attest build provenance for the SBOM + uses: actions/attest-build-provenance@v3 + with: + subject-path: sbom.py${{ matrix.python-version }}.${{ matrix.sbom-format }} From f34b78e084d934931a563eee975f222117dee59d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Wed, 21 Jan 2026 00:02:34 -0500 Subject: [PATCH 03/18] Add (commented out) Dependabot ignore directives for SBOM-related actions --- .github/dependabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fe641ae..faafccb 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,8 +23,10 @@ updates: - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate # # Managed by cisagov/skeleton-python-library + # - dependency-name: actions/attest-build-provenance # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact + # - dependency-name: anchore/sbom-action labels: # dependabot default we need to replicate - dependencies From 281d5aa78eea7a2fe01963c1dd5d7e52fcf8a791 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 26 Jan 2026 09:41:30 -0500 Subject: [PATCH 04/18] Manipulate the repo name and use that in the SBOM file name Thus our SBOMs are named, e.g., cisagov-skeleton-python-library.py3.13.spdx-json rather than sbom.py3.13.spdx-json. --- .github/workflows/build.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ae0e27f..248e031 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -589,14 +589,27 @@ jobs: run: pipenv install ${{ steps.find-wheel.outputs.wheel }} - name: Lock the Pipfile run: pipenv lock - - name: Gemerate SBOM + - name: Manipulate the repo name into the preferred format + id: manipulate-repo-name + run: | + NEW_NAME=$(echo "${{ github.repository}}" \ + | tr '[:upper:]' '[:lower:]' \ + | tr '/ ' '-') + echo "repo-name=${NEW_NAME}" >> $GITHUB_OUTPUT + - name: Generate SBOM uses: anchore/sbom-action@v0 with: - artifact-name: sbom.py${{ matrix.python-version }}.${{ matrix.sbom-format }} + artifact-name: >- + ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ + matrix.python-version }}.${{ matrix.sbom-format }} file: Pipfile.lock format: ${{ matrix.sbom-format }} - output-file: sbom.py${{ matrix.python-version }}.${{ matrix.sbom-format }} + output-file: >- + ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ + matrix.python-version }}.${{ matrix.sbom-format }} - name: Attest build provenance for the SBOM uses: actions/attest-build-provenance@v3 with: - subject-path: sbom.py${{ matrix.python-version }}.${{ matrix.sbom-format }} + subject-path: >- + ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ + matrix.python-version }}.${{ matrix.sbom-format }} From 11e73ea6daa708989e06ff0e9a8f8a0e8e2c232c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 26 Jan 2026 13:04:13 -0500 Subject: [PATCH 05/18] Upgrade to the latest release of the check-jsonschema pre-commit hook The latest release supports the artifact-metadata permission that we are now using in the generate-sbom job of the build.yml GitHub Actions workflow. --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 589599f..7085dfe 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -63,7 +63,7 @@ repos: # GitHub Actions hooks - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.35.0 + rev: 0.36.1 hooks: - id: check-github-actions - id: check-github-workflows From b1526cd5aad97736b84666bac5dffb2134161269 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 26 Jan 2026 22:40:07 -0500 Subject: [PATCH 06/18] Add a comment explaining why an if statement is present The if statement is present to to keep the push and pull_request events from both causing the job to be run. Co-authored-by: dav3r Co-authored-by: Nick M <50747025+mcdonnnj@users.noreply.github.com> --- .github/workflows/build.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 248e031..d0c5c8d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -499,6 +499,9 @@ jobs: # been generated in the build job. Putting it in a separate # release workflow would require us to introduce a dependency of # the release workflow on this one. + # + # This if statement is present to keep the push and pull_request + # events from both causing the job to be run. if: github.event_name != 'pull_request' name: Generate and upload SBOM needs: From 4db07ae34e78f9adab0c48957a2a6a8f1fcc5734 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 13 Feb 2026 14:04:35 -0500 Subject: [PATCH 07/18] Update comment for correctness Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d0c5c8d..1c86f57 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -491,8 +491,8 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE generate-sbom: - # Generate an SBOM for the Docker image and, if there is a - # release, upload it as an asset to the release. + # Generate SBOMs for the built Python wheel packages and, if there is a + # release, upload them as assets to the release. # # This job is located in this workflow as opposed to a separate # release workflow because it can only run after the wheels have From ea7885d535fcfe6357678dd7d9a127af8551bada Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Fri, 13 Feb 2026 14:10:28 -0500 Subject: [PATCH 08/18] Update references to point to the correct Python version Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1c86f57..1ed288e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -564,12 +564,12 @@ jobs: - id: setup-python uses: actions/setup-python@v6 with: - python-version: ${{ steps.setup-env.outputs.python-version }} + python-version: ${{ matrix.python-version }} - uses: actions/cache@v4 env: BASE_CACHE_KEY: ${{ github.job }}-\ ${{ runner.os }}-${{ runner.arch }}-\ - py${{ steps.setup-python.outputs.python-version }}- + py${{ matrix.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} key: ${{ env.BASE_CACHE_KEY }}\ From 6e666cff9f3bfba2a03a19ba577b0a3cf320456f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 23 Feb 2026 11:11:05 -0500 Subject: [PATCH 09/18] Upgrade actions/cache to match version used in parent skeleton --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1ed288e..5224bc1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -565,7 +565,7 @@ jobs: uses: actions/setup-python@v6 with: python-version: ${{ matrix.python-version }} - - uses: actions/cache@v4 + - uses: actions/cache@v5 env: BASE_CACHE_KEY: ${{ github.job }}-\ ${{ runner.os }}-${{ runner.arch }}-\ From 3d03aefffa00b149ed157abeb93c69da386451f0 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 23 Feb 2026 11:11:31 -0500 Subject: [PATCH 10/18] Clean up definitions of cache keys to match upstream --- .github/workflows/build.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5224bc1..1985ce1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -567,13 +567,15 @@ jobs: python-version: ${{ matrix.python-version }} - uses: actions/cache@v5 env: - BASE_CACHE_KEY: ${{ github.job }}-\ - ${{ runner.os }}-${{ runner.arch }}-\ - py${{ matrix.python-version }}- + BASE_CACHE_KEY: >- + ${{ github.job }}-${{ + runner.os }}-${{ runner.arch }}-py${{ + matrix.python-version }}- with: path: ${{ env.PIP_CACHE_DIR }} - key: ${{ env.BASE_CACHE_KEY }}\ - ${{ hashFiles('pyproject.toml') }} + key: >- + ${{ env.BASE_CACHE_KEY }}${{ + hashFiles('pyproject.toml') }} restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel From 2b0e6462db20a72a3fb46901b2899a1c0e04db4d Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 9 Mar 2026 12:47:41 -0400 Subject: [PATCH 11/18] Word wrap some comment text --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1985ce1..43ffb25 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -491,8 +491,8 @@ jobs: uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE generate-sbom: - # Generate SBOMs for the built Python wheel packages and, if there is a - # release, upload them as assets to the release. + # Generate SBOMs for the built Python wheel packages and, if there + # is a release, upload them as assets to the release. # # This job is located in this workflow as opposed to a separate # release workflow because it can only run after the wheels have From 3ef4839083dc64005d3ef16fd9f88134ae83c00c Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 9 Mar 2026 12:49:08 -0400 Subject: [PATCH 12/18] Upgrade to the latest name and version for the attestation action Note that actions/attest-build-provenance has changed its name to actions/attest, partly because it now supports different types of attestations. One such type is an SBOM attestation, which we are now using here. --- .github/dependabot.yml | 2 +- .github/workflows/build.yml | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index faafccb..48292b7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -23,7 +23,7 @@ updates: - dependency-name: hashicorp/setup-terraform - dependency-name: mxschmitt/action-tmate # # Managed by cisagov/skeleton-python-library - # - dependency-name: actions/attest-build-provenance + # - dependency-name: actions/attest # - dependency-name: actions/download-artifact # - dependency-name: actions/upload-artifact # - dependency-name: anchore/sbom-action diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 43ffb25..ad02bd4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -612,9 +612,10 @@ jobs: output-file: >- ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ matrix.python-version }}.${{ matrix.sbom-format }} - - name: Attest build provenance for the SBOM - uses: actions/attest-build-provenance@v3 + - name: Create SBOM attestation + uses: actions/attest@v4 with: - subject-path: >- + sbom-path: >- ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ matrix.python-version }}.${{ matrix.sbom-format }} + subject-path: dist From 03bd84e1ab4cf1ce860e18286ce279af6f1c9f04 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 10 Mar 2026 12:02:21 -0400 Subject: [PATCH 13/18] Add provenance attestation for the SBOM --- .github/workflows/build.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ad02bd4..8d5129b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -510,6 +510,7 @@ jobs: permissions: # Allows us to read the SBOM artifact actions: read + # Necessary to create the artifact storage record artifact-metadata: write attestations: write # Allows us to add the SBOM to the release. Also, @@ -612,7 +613,13 @@ jobs: output-file: >- ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ matrix.python-version }}.${{ matrix.sbom-format }} - - name: Create SBOM attestation + - name: Create provenance attestation for SBOM + uses: actions/attest@v4 + with: + subject-path: >- + ${{ steps.manipulate-repo-name.outputs.repo-name }}.py${{ + matrix.python-version }}.${{ matrix.sbom-format }} + - name: Create SBOM attestation for distribution package uses: actions/attest@v4 with: sbom-path: >- From 26e7ea5eb181d2105c49a6d52670d4e0ac95dd0f Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Tue, 10 Mar 2026 13:24:32 -0400 Subject: [PATCH 14/18] Add provenance attestation for distribution --- .github/workflows/build.yml | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8d5129b..8a4e961 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -333,8 +333,17 @@ jobs: - lint - test permissions: - # actions/checkout needs this to fetch code - contents: read + # Allows us to read artifacts + actions: read + # Necessary to create the artifact storage record + artifact-metadata: write + attestations: write + # Allows us to add the SBOM to the release. Also, + # actions/checkout needs read permission to fetch code. + contents: write + # Allows the workflow to mint the OIDC token necessary to + # request a Sigstore signing certificate. + id-token: write runs-on: ubuntu-latest strategy: fail-fast: false @@ -399,6 +408,10 @@ jobs: with: name: dist-${{ matrix.python-version }} path: dist + - name: Create provenance attestation for distribution + uses: actions/attest@v4 + with: + subject-path: dist - name: Setup tmate debug session uses: mxschmitt/action-tmate@v3 if: env.RUN_TMATE From 000c69587adfe9bf49fc579362681fde02051425 Mon Sep 17 00:00:00 2001 From: Shane Frasier Date: Tue, 10 Mar 2026 15:05:48 -0400 Subject: [PATCH 15/18] Pare down permissions Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .github/workflows/build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8a4e961..1ada83a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -338,9 +338,9 @@ jobs: # Necessary to create the artifact storage record artifact-metadata: write attestations: write - # Allows us to add the SBOM to the release. Also, - # actions/checkout needs read permission to fetch code. - contents: write + # Allows actions/checkout to fetch code; write access is not + # required for this build job. + contents: read # Allows the workflow to mint the OIDC token necessary to # request a Sigstore signing certificate. id-token: write From 10267a1016a50edbc8c93ce2845813baf72fd786 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 13 Apr 2026 14:08:17 -0400 Subject: [PATCH 16/18] Upgrade instance of actions/download-artifact to v8 This agrees with changes made elsewhere in this workflow. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 388bd94..6cddd7e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -606,7 +606,7 @@ jobs: restore-keys: | ${{ env.BASE_CACHE_KEY }} - name: Retrieve the built wheel - uses: actions/download-artifact@v7 + uses: actions/download-artifact@v8 with: name: dist-${{ matrix.python-version }} path: dist From e7318557c33e6f745c1e40903d47d5095e82c188 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 13 Apr 2026 14:42:40 -0400 Subject: [PATCH 17/18] Update job name in SBOM portion of workflow This job name changed in a previous commit and hence needs to be updated here as well. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 73bd8f3..d66be47 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -530,7 +530,7 @@ jobs: if: github.event_name != 'pull_request' name: Generate and upload SBOM needs: - - build + - build-wheel - diagnostics permissions: # Allows us to read the SBOM artifact From fa900f635c8aa26ee650cede6b9e2d6fe8f8d054 Mon Sep 17 00:00:00 2001 From: Jeremy Frasier Date: Mon, 13 Apr 2026 14:46:45 -0400 Subject: [PATCH 18/18] Remove manual installation of wheel wheel need not be installed alongside setuptools as of setuptools 70.1. --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d66be47..b87f0a1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -613,7 +613,7 @@ jobs: name: Get the name of the retrieved wheel (there should only be one) run: echo "wheel=$(ls dist/*whl)" >> $GITHUB_OUTPUT - name: Update core Python packages - run: python -m pip install --upgrade pip setuptools wheel + run: python -m pip install --upgrade pip setuptools - name: Install pipenv run: pip install --upgrade pipenv - name: Install the built wheel into a Pipfile