v0.1.0a6 — 2026-04-24¶

SBOM generation for every release. Operators can now audit the exact dependency graph shipped in any pip install oxi-core.

What's new¶

scripts/generate-sbom.sh — standalone script that produces a CycloneDX 1.6 JSON SBOM for any oxi package. Called automatically by scripts/release.sh after the smoke-test venv validates the wheel. The SBOM lands in dist/ alongside the wheel and sdist so it can be attached to the GitHub release page.
scripts/release.sh SBOM integration — after the smoke-test venv is validated, cyclonedx-bom is installed into that isolated venv and the SBOM is generated from it. This guarantees the dependency snapshot reflects exactly what a clean pip install pulls in — not the broader dev environment. Pass --no-sbom to skip if needed.
.github/workflows/sbom.yml — CI job that generates and uploads the SBOM as a GitHub Actions artifact (90-day retention) on every push to main and on manual trigger. Lets operators download the SBOM for any commit without running a release.
oxi-core[release] extras — new optional-dependency group that pins build, twine, and cyclonedx-bom for reproducible release tooling.

Format: CycloneDX 1.6 JSON (--output-reproducible ensures stable output for identical inputs).
Root component: oxi-core with version and license pulled from pyproject.toml.
Covers all transitive runtime dependencies resolved by pip at install time.
Filename convention: sbom-<pkg-name>-<version>.cdx.json.

pip install --pre oxi-core

0.1.0a6 → 0.1.0b1 after the bandit/CodeQL SAST integration (T1-16) lands and the remaining T1 polish items close.