From 50fb7b106937013e462f82e041864bd85d66329a Mon Sep 17 00:00:00 2001
From: Miles Dai <miles@tinfoil.sh>
Date: Sat, 18 Apr 2026 17:26:35 -0400
Subject: [PATCH] ci: generate SBOM and include it in the wheel

This commit adds machinery to generate a CycloneDX SBOM file during the
release flow. This file is automatically included in the built wheel by
hatchling as specified in PEP 770. There is a placeholder SBOM file in
the root directory to satisfy hatchling when building outside the
release flow.
---
 .github/workflows/sdk-release.yml | 29 +++++++++++++++++++++++++++++
 pyproject.toml                    |  3 ++-
 sbom.cdx.json                     | 15 +++++++++++++++
 3 files changed, 46 insertions(+), 1 deletion(-)
 create mode 100644 sbom.cdx.json

diff --git a/.github/workflows/sdk-release.yml b/.github/workflows/sdk-release.yml
index 7c1fd21..4285da3 100644
--- a/.github/workflows/sdk-release.yml
+++ b/.github/workflows/sdk-release.yml
@@ -8,9 +8,34 @@ on:
 permissions: {}
 
 jobs:
+  generate-sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          enable-cache: false
+      - name: Generate SBOM
+        run: |
+          uv sync --locked --no-dev
+          uvx --from cyclonedx-bom==7.3.0 cyclonedx-py environment --output-format json -o sbom.cdx.json
+      - name: Upload SBOM
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: sbom
+          path: sbom.cdx.json
+
   build:
     name: Build distribution
     runs-on: ubuntu-latest
+    needs: generate-sbom
     permissions:
       contents: read
 
@@ -22,6 +47,10 @@ jobs:
         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: false
+      - name: Download generated SBOM
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: sbom
       - name: Build a binary wheel and a source tarball
         run: uv build
       - name: Store the distribution packages
diff --git a/pyproject.toml b/pyproject.toml
index 61e253f..11cd302 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,9 +1,10 @@
 [build-system]
-requires = ["hatchling"]
+requires = ["hatchling>=1.28.0"]
 build-backend = "hatchling.build"
 
 [tool.hatch.build.targets.wheel]
 packages = ["src/tinfoil"]
+sbom-files = ["sbom.cdx.json"]
 
 [project]
 name = "tinfoil"
diff --git a/sbom.cdx.json b/sbom.cdx.json
new file mode 100644
index 0000000..c41c87e
--- /dev/null
+++ b/sbom.cdx.json
@@ -0,0 +1,15 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "properties": [
+      {
+        "name": "placeholder",
+        "value": "This is a placeholder file to satisfy the hatchling build backend. The real SBOM is populated in the release flow."
+      }
+    ]
+  },
+  "components": []
+}