From 8392d366cb3a209aa3b034b853dda50c655c58ce Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 25 Apr 2026 10:46:48 +0000 Subject: [PATCH 01/12] Initial plan From e114a64f1843b8c39e3c95800e093948bc19cd8d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 25 Apr 2026 10:51:21 +0000 Subject: [PATCH 02/12] chore: add zizmor workflow for GitHub Actions security analysis Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/f5512c78-6b6d-46ca-adf5-4cf6045187b0 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..ae8667a6 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# Analyzes all GitHub Actions workflows for security issues using zizmor. +# docs: https://docs.zizmor.sh/ +name: Workflow Security Analysis (zizmor) + +on: + pull_request: + paths: + - ".github/workflows/**" + schedule: + # Every Saturday at 00:00 UTC + - cron: "0 0 * * 6" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + # see https://github.com/zizmorcore/zizmor-action + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true From 51bc9a564ed249540d4d313b02bed112f609d665 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 25 Apr 2026 10:55:24 +0000 Subject: [PATCH 03/12] chore: add comment explaining advanced-security: false in zizmor workflow Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/b5733fc7-3e3a-4c62-a94c-54620cce9147 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .github/workflows/zizmor.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index ae8667a6..88b0acc0 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -32,5 +32,11 @@ jobs: # see https://github.com/zizmorcore/zizmor-action uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: + # false: emit findings as workflow-command annotations (::error file=…) rather than + # uploading a SARIF report to GitHub's Security tab. + # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), + # both of which are unnecessary here and would violate the least-privilege policy. + # The two modes are mutually exclusive: advanced-security must be false for + # annotations to take effect. advanced-security: false annotations: true From 8ad0fd2c685f6178d4f4ddd5dfeb43588ee8f784 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 25 Apr 2026 13:02:12 +0200 Subject: [PATCH 04/12] Update .github/workflows/zizmor.yml Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 88b0acc0..6e2a0ea8 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -32,7 +32,7 @@ jobs: # see https://github.com/zizmorcore/zizmor-action uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: - # false: emit findings as workflow-command annotations (::error file=…) rather than + # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab. # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), # both of which are unnecessary here and would violate the least-privilege policy. From ab7f3b560e861d08a834834b3bdc8df2eef20486 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Tue, 28 Apr 2026 15:56:42 +0200 Subject: [PATCH 05/12] [WIP] Add pre-commit hook for GitHub Actions compliance checking (#972) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 44a9bcc1..a6573d02 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,3 +42,7 @@ repos: entry: poetry run -- tox r -e bandit pass_filenames: false language: system + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor From e064634384ecf02c08e6207da46c63a6b9999d0e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 28 Apr 2026 16:05:16 +0200 Subject: [PATCH 06/12] Apply suggestion from @jkowalleck Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 6e2a0ea8..32589888 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -6,6 +6,9 @@ on: pull_request: paths: - ".github/workflows/**" + push: + paths: + - ".github/workflows/**" schedule: # Every Saturday at 00:00 UTC - cron: "0 0 * * 6" From 0266714c6efb46a0d92c1cbb4b2904aa70f0151e Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Mon, 4 May 2026 14:04:07 +0200 Subject: [PATCH 07/12] fix: address all zizmor security findings in GitHub Actions workflows (#969) Signed-off-by: Jan Kowalleck Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Co-authored-by: Jan Kowalleck Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com> --- .github/dependabot.yml | 4 ++++ .github/workflows/python.yml | 14 ++++++++++++++ .github/workflows/release.yml | 14 ++++++++++---- CHANGELOG.md | 22 ++++++++++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 12 ++++++------ 7 files changed, 58 insertions(+), 12 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 423d4b3f..e91d6109 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,6 +7,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 allow: - dependency-type: 'all' versioning-strategy: 'auto' @@ -21,6 +23,8 @@ updates: schedule: interval: 'weekly' day: 'saturday' + cooldown: + default-days: 7 labels: [ 'dependencies' ] commit-message: ## prefix maximum string length of 15 diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index 46e29b82..c32a4c52 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -34,6 +34,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -58,6 +60,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -82,6 +86,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,6 +112,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -142,6 +150,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -192,6 +202,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment @@ -270,6 +282,8 @@ jobs: - name: Checkout # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6215ce44..52f265cc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -49,6 +49,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -71,6 +73,8 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 @@ -106,18 +110,19 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases app-id: 3335294 private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} - name: Get GitHub App User ID id: release-bot-user-id - run: | - set -xeu - echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" env: + APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }} GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} + run: | + set -xeu + echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - name: Checkout code # see https://github.com/actions/checkout @@ -125,6 +130,7 @@ jobs: with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} + persist-credentials: false - name: Setup python # see https://github.com/actions/setup-python diff --git a/CHANGELOG.md b/CHANGELOG.md index 86d6a872..0e19c498 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ +## v11.7.1-alpha.1 (2026-05-04) + +### Bug Fixes + +- Add persist-credentials: false to release job checkout + ([`1a8dae3`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a8dae399dd97c4829cdd04657b4b7de005ae118)) + +- Address all zizmor security findings in GitHub Actions workflows + ([`5b2cb0b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/5b2cb0ba371d402ece0f87ba89d925cb4d42ae5e)) + +- Pin actions/create-github-app-token to commit hash + ([`f959774`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/f959774e7308966fab7fbde8f50851ea267a9c0f)) + +- Revert persist-credentials in release checkout (untested combination) + ([`1a42e8e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a42e8ead629c9fedf9e389a1226fee87299af1b)) + +### Documentation + +- Update CDX summary ([#951](https://github.com/CycloneDX/cyclonedx-python-lib/pull/951), + [`752b162`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/752b1620a23e319add81c505fe7197a2ae3cca06)) + + ## v11.7.0 (2026-03-17) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index ff9bd20b..4c9c9ca9 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.7.0" # noqa:Q000 +__version__ = "11.7.1-alpha.1" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 31daedd8..8fe009c1 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.7.0' +release = '11.7.1-alpha.1' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 532b1e6c..33f62cba 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.7.0" +version = "11.7.1-alpha.1" description = "Python library for CycloneDX" authors = [ "Paul Horton ", @@ -146,15 +146,15 @@ exclude_commit_patterns = [ match = "(main|master)" prerelease = false -[tool.semantic_release.branches."step"] -match = "(build|chore|ci|docs|feat|fix|perf|style|refactor|tests?)" -prerelease = true -prerelease_token = "alpha" - [tool.semantic_release.branches."major-dev"] match = "(\\d+\\.0\\.0-(dev|rc)|dev/\\d+\\.0\\.0)" prerelease = true prerelease_token = "rc" +[tool.semantic_release.branches.fallback] +match = ".*" +prerelease = true +prerelease_token = "alpha" + [tool.deptry] extend_exclude = ["docs", "examples", "package_aliases", "tools"] From 3fbec6b50db7825f6ee5f155ddab455cdf83ac04 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 4 May 2026 14:05:00 +0200 Subject: [PATCH 08/12] chore: rollback rc history Signed-off-by: Jan Kowalleck --- CHANGELOG.md | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e19c498..86d6a872 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,28 +2,6 @@ -## v11.7.1-alpha.1 (2026-05-04) - -### Bug Fixes - -- Add persist-credentials: false to release job checkout - ([`1a8dae3`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a8dae399dd97c4829cdd04657b4b7de005ae118)) - -- Address all zizmor security findings in GitHub Actions workflows - ([`5b2cb0b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/5b2cb0ba371d402ece0f87ba89d925cb4d42ae5e)) - -- Pin actions/create-github-app-token to commit hash - ([`f959774`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/f959774e7308966fab7fbde8f50851ea267a9c0f)) - -- Revert persist-credentials in release checkout (untested combination) - ([`1a42e8e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/1a42e8ead629c9fedf9e389a1226fee87299af1b)) - -### Documentation - -- Update CDX summary ([#951](https://github.com/CycloneDX/cyclonedx-python-lib/pull/951), - [`752b162`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/752b1620a23e319add81c505fe7197a2ae3cca06)) - - ## v11.7.0 (2026-03-17) ### Documentation From b5fb42e6d2dbef90a73d0b2bfe35a28fdf1ec588 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 4 May 2026 14:14:02 +0200 Subject: [PATCH 09/12] build: fine-tune permissions Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 52f265cc..22b6da1e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,16 +113,17 @@ jobs: uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases - app-id: 3335294 + client-id: 3335294 private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} + # for `permission-*` see `permissions` above + permission-id-token: write + permission-contents: write - name: Get GitHub App User ID id: release-bot-user-id env: APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }} GH_TOKEN: ${{ steps.release-bot-token.outputs.token }} - run: | - set -xeu - echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" + run: echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT" - name: Checkout code # see https://github.com/actions/checkout From 00b23a2f9d1f73d7ef698c04819ba90f089b2f7a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 4 May 2026 14:26:57 +0200 Subject: [PATCH 10/12] build: fine-tune permissions Signed-off-by: Jan Kowalleck --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 22b6da1e..9fc60639 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -116,7 +116,6 @@ jobs: client-id: 3335294 private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }} # for `permission-*` see `permissions` above - permission-id-token: write permission-contents: write - name: Get GitHub App User ID id: release-bot-user-id From 19de817eebec37af091ebc7838bbc673677fe9d9 Mon Sep 17 00:00:00 2001 From: "cyclonedx-releases[bot]" <275040549+cyclonedx-releases[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 12:30:26 +0000 Subject: [PATCH 11/12] chore(release): 11.7.1-alpha.2 Automatically generated by python-semantic-release --- CHANGELOG.md | 22 ++++++++++++++++++++++ cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 25 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86d6a872..3df07f71 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ +## v11.7.1-alpha.2 (2026-05-04) + +### Bug Fixes + +- Address all zizmor security findings in GitHub Actions workflows + ([#969](https://github.com/CycloneDX/cyclonedx-python-lib/pull/969), + [`0266714`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0266714c6efb46a0d92c1cbb4b2904aa70f0151e)) + +### Build System + +- Fine-tune permissions + ([`00b23a2`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/00b23a2f9d1f73d7ef698c04819ba90f089b2f7a)) + +- Fine-tune permissions + ([`b5fb42e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/b5fb42e6d2dbef90a73d0b2bfe35a28fdf1ec588)) + +### Documentation + +- Update CDX summary ([#951](https://github.com/CycloneDX/cyclonedx-python-lib/pull/951), + [`752b162`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/752b1620a23e319add81c505fe7197a2ae3cca06)) + + ## v11.7.0 (2026-03-17) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index 4c9c9ca9..4ab7405d 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.7.1-alpha.1" # noqa:Q000 +__version__ = "11.7.1-alpha.2" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 8fe009c1..906825f1 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.7.1-alpha.1' +release = '11.7.1-alpha.2' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index 33f62cba..b567b7ab 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.7.1-alpha.1" +version = "11.7.1-alpha.2" description = "Python library for CycloneDX" authors = [ "Paul Horton ", From 8b0aa65f4646abf2093e033f58e9a3c29b2863dc Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Mon, 4 May 2026 14:35:32 +0200 Subject: [PATCH 12/12] chore: rollback alpha version bumps Signed-off-by: Jan Kowalleck --- CHANGELOG.md | 22 ---------------------- cyclonedx/__init__.py | 2 +- docs/conf.py | 2 +- pyproject.toml | 2 +- 4 files changed, 3 insertions(+), 25 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3df07f71..86d6a872 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,28 +2,6 @@ -## v11.7.1-alpha.2 (2026-05-04) - -### Bug Fixes - -- Address all zizmor security findings in GitHub Actions workflows - ([#969](https://github.com/CycloneDX/cyclonedx-python-lib/pull/969), - [`0266714`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/0266714c6efb46a0d92c1cbb4b2904aa70f0151e)) - -### Build System - -- Fine-tune permissions - ([`00b23a2`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/00b23a2f9d1f73d7ef698c04819ba90f089b2f7a)) - -- Fine-tune permissions - ([`b5fb42e`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/b5fb42e6d2dbef90a73d0b2bfe35a28fdf1ec588)) - -### Documentation - -- Update CDX summary ([#951](https://github.com/CycloneDX/cyclonedx-python-lib/pull/951), - [`752b162`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/752b1620a23e319add81c505fe7197a2ae3cca06)) - - ## v11.7.0 (2026-03-17) ### Documentation diff --git a/cyclonedx/__init__.py b/cyclonedx/__init__.py index 4ab7405d..ff9bd20b 100644 --- a/cyclonedx/__init__.py +++ b/cyclonedx/__init__.py @@ -22,4 +22,4 @@ # !! version is managed by semantic_release # do not use typing here, or else `semantic_release` might have issues finding the variable -__version__ = "11.7.1-alpha.2" # noqa:Q000 +__version__ = "11.7.0" # noqa:Q000 diff --git a/docs/conf.py b/docs/conf.py index 906825f1..31daedd8 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -23,7 +23,7 @@ # The full version, including alpha/beta/rc tags # !! version is managed by semantic_release -release = '11.7.1-alpha.2' +release = '11.7.0' # -- General configuration --------------------------------------------------- diff --git a/pyproject.toml b/pyproject.toml index b567b7ab..13862476 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api" [tool.poetry] name = "cyclonedx-python-lib" # !! version is managed by semantic_release -version = "11.7.1-alpha.2" +version = "11.7.0" description = "Python library for CycloneDX" authors = [ "Paul Horton ",