From 6ab8e7b4c8de80fc969ff0c1f1f8e8fdf1b2bd4e Mon Sep 17 00:00:00 2001 From: Kovid Goyal Date: Wed, 17 Sep 2025 13:51:38 +0530 Subject: [PATCH] Also publish an SBOM --- publish.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/publish.py b/publish.py index 5d676b062..0b1f23935 100755 --- a/publish.py +++ b/publish.py @@ -36,8 +36,8 @@ ap = re.search(r"^appname: str\s+=\s+'([^']+)'", raw, flags=re.MULTILINE) if ap is not None: appname = ap.group(1) -ALL_ACTIONS = 'local_build man html build tag sdist upload website'.split() -NIGHTLY_ACTIONS = 'local_build man html build sdist upload_nightly'.split() +ALL_ACTIONS = 'local_build man html build tag sdist sbom upload website'.split() +NIGHTLY_ACTIONS = 'local_build man html build sdist sbom upload_nightly'.split() def echo_cmd(cmd: Iterable[str]) -> None: @@ -207,6 +207,10 @@ def run_sdist(args: Any) -> None: sign_file(f'{dest}.xz') +def run_sbom(args: Any) -> None: + call(f'python ../bypy sbom --output build/kitty-{version}.tar.xz.spdx.json --url https://sw.kovidgoyal.net/kitty/binary kitty {version}') + + class ReadFileWithProgressReporting(io.FileIO): # {{{ def __init__(self, path: str): super().__init__(path, 'rb') @@ -471,6 +475,7 @@ def files_for_upload() -> Dict[str, str]: files[f'build/kitty-{version}.tar.xz'] = 'Source code' files[f'build/kitty-{version}.tar.xz.sig'] = 'Source code GPG signature' + files[f'build/kitty-{version}.tar.xz.spdx.json'] = 'SBOM for kitty (all builds)' for path, desc in signatures.items(): sign_file(path) files[f'{path}.sig'] = desc