fix(ci): reset failed v0.3.7 release and fix syft SBOM scan

[Aureliolo]

Summary

Two issues caused the v0.3.7 CLI release to fail:

1. GoReleaser LICENSE path -- fixed in fix(cli): auto-delete binary on Windows, prune images, fix GoReleaser #590 (already merged)
2. Syft SBOM scan -- syft tried to auto-detect .tar.gz/.zip archives as container images and failed. Fix: prefix $artifact with file: scheme so syft knows to scan as a local file archive

This PR:

• Reverts the Release Please v0.3.7 commit (2e8e633) to reset version back to 0.3.6
• Fixes the syft scan command in .goreleaser.yml
• v0.3.7 draft release and tag already deleted

After merge, Release Please will auto-create a new 0.3.7 release PR with both fixes in place.

Changes

• .github/.release-please-manifest.json: 0.3.7 -> 0.3.6
• .github/CHANGELOG.md: remove 0.3.7 entry
• pyproject.toml: 0.3.7 -> 0.3.6
• src/synthorg/__init__.py: 0.3.7 -> 0.3.6
• cli/.goreleaser.yml: scan $artifact -> scan file:$artifact

🤖 Generated with Claude Code

Summary by CodeRabbit

• Revert

  • Version reverted to 0.3.6; release notes for version 0.3.7 removed.

• Chores

  • Updated build configuration for artifact processing in release pipeline.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: c1da9597-401f-4e84-a047-66aaf2d315b4

📥 Commits

Reviewing files that changed from the base of the PR and between 2e8e633 and aa62d0f.

📒 Files selected for processing (5)

• .github/.release-please-manifest.json
• .github/CHANGELOG.md
• cli/.goreleaser.yml
• pyproject.toml
• src/synthorg/__init__.py

---

Walkthrough

This change rolls back the project version from 0.3.7 to 0.3.6 across multiple files, including the release manifest, Commitizen configuration, and the package's version constant. The entire 0.3.7 release section is removed from the changelog. Additionally, the GoReleaser SBOM generation configuration is updated to use the file: prefix when specifying artifact paths to the syft command.

Suggested labels

autorelease: tagged

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses and rectifies issues that led to the failure of the v0.3.7 CLI release. It systematically rolls back the version to 0.3.6 and implements a crucial correction in the SBOM generation process, ensuring that future releases can proceed without encountering the same obstacles. The changes prepare the repository for a successful re-release of version 0.3.7 with the necessary fixes in place.

Highlights

• Release Reversion: The pull request reverts the failed v0.3.7 release by resetting version numbers across various configuration and source files back to 0.3.6. This includes updating .release-please-manifest.json, CHANGELOG.md, pyproject.toml, and src/synthorg/__init__.py.
• Syft SBOM Scan Fix: The Syft SBOM scan command in .goreleaser.yml was fixed. Previously, Syft incorrectly attempted to auto-detect .tar.gz/.zip archives as container images, causing the scan to fail. The fix involves prefixing the artifact path with file: to explicitly instruct Syft to scan it as a local file archive.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly reverts the project version to reset a failed release and fixes the syft SBOM generation in the CI pipeline. The change to prefix the artifact path with file: is the right solution for the described problem. I have one suggestion to use the non-deprecated syft command to improve future compatibility.

[gemini-code-assist]

The syft scan command is deprecated and will be removed in a future version. It's recommended to use syft packages instead to ensure future compatibility of the CI pipeline.

    args: ["packages", "file:$artifact", "--output", "cyclonedx-json=$document"]

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.46%. Comparing base (2e8e633) to head (aa62d0f).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #593   +/-   ##
=======================================
  Coverage   92.46%   92.46%           
=======================================
  Files         551      551           
  Lines       27681    27681           
  Branches     2678     2678           
=======================================
  Hits        25595    25595           
  Misses       1634     1634           
  Partials      452      452           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.