%python_wheel_inject_sbom: Don't accidentally alter nested .dist-infos

In python-setuptools-wheel, the macro was confused by setuptools/_vendor/autocommand-2.2.2.dist-info/RECORD (or other vendored RECORDs)
2025-08-29 13:46:23 +02:00 · 2025-08-29 13:46:23 +02:00 · 47de23b3c0
commit 47de23b3c0
parent 7d4cb5437d
3 changed files with 19 additions and 2 deletions
--- a/macros.python-wheel-sbom
+++ b/macros.python-wheel-sbom
@ -93,7 +93,7 @@
        whl="$pwd0/$whl"
    fi

-    record=$(zipinfo -1 "$whl" | grep '\.dist-info/RECORD$')
+    record=$(zipinfo -1 "$whl" | grep -E '^[^/]+-[^/]+\.dist-info/RECORD$')
    distinfo="${record%%/RECORD}"
    bom="$distinfo/sboms/%{__python_wheel_sbom_filename}"

--- a/python-rpm-macros.spec
+++ b/python-rpm-macros.spec
@ -56,7 +56,7 @@ elseif posix.stat('macros.python-srpm') then
 end
 }
 Version:        %{__default_python3_version}
-Release:        6%{?dist}
+Release:        7%{?dist}

 BuildArch:      noarch

@ -169,6 +169,9 @@ grep -E '^#[^%%]*%%[^%%]' %{buildroot}%{rpmmacrodir}/macros.* && exit 1 || true


 %changelog
+* Fri Aug 29 2025 Miro Hrončok <mhroncok@redhat.com> - 3.14-7
+- %%python_wheel_inject_sbom: Don't accidentally alter nested .dist-infos
+
 * Wed Aug 13 2025 Miro Hrončok <mhroncok@redhat.com> - 3.14-6
 - Introduce %%python_wheel_inject_sbom

--- a/tests/testwheel.spec
+++ b/tests/testwheel.spec
@ -23,7 +23,18 @@ version = "1"
 [build-system]
 requires = ["setuptools >= 61"]
 build-backend = "setuptools.build_meta"
+
+[tool.setuptools]
+include-package-data = true
+
+[tool.setuptools.packages.find]
+include = ["testwheel*"]
 EOF
+# create a secondary dist-info folder in the project
+# we need to ensure this file is not altered
+mkdir -p testwheel/_vendor/dependency-2.2.2.dist-info
+touch testwheel/_vendor/dependency-2.2.2.dist-info/RECORD
+echo 'recursive-include testwheel/_vendor *' > MANIFEST.in


 %build
@ -70,6 +81,9 @@ grep '^testwheel-1.dist-info/sboms/bom.json,' %{venvsite}/testwheel-1.dist-info/
 # a more specific grep. we don't care about CRLF line ends (pip uses those? without the sed the $ doesn't match line end)
 sed 's/\r//g' %{venvsite}/testwheel-1.dist-info/RECORD | grep -E '^testwheel-1.dist-info/sboms/bom.json,sha256=[a-f0-9]{64},[0-9]+$'

+test -f %{venvsite}/testwheel/_vendor/dependency-2.2.2.dist-info/RECORD
+test -f %{venvsite}/testwheel/_vendor/dependency-2.2.2.dist-info/sboms/bom.json && exit 1 || true
+
 # this deliberately uses a different mechanism than the macro
 # if you are running this test on a different distro, adjust it
 %define ns %{?fedora:fedora}%{?eln:fedora}%{?epel:epel}%{!?eln:%{!?epel:%{?rhel:redhat}}}