fix(ci): remove CLI SBOM generation, reset failed v0.3.7

[Aureliolo]

Summary

Syft cannot scan Go binary archives (.tar.gz/.zip) -- it tries to interpret them as container images and fails. Since CLI binaries are statically linked with CGO_ENABLED=0, there are no runtime dependencies to catalog. Docker image SBOMs (generated by the Docker workflow via syft on actual container images) remain unchanged.

This is the third v0.3.7 release attempt. Previous failures:

1. GoReleaser ../LICENSE path resolution (fixed in fix(cli): auto-delete binary on Windows, prune images, fix GoReleaser #590)
2. Syft file:$artifact still failed on archive auto-detection (this PR removes it)

Changes

• cli/.goreleaser.yml: Remove sboms: stanza entirely
• .github/workflows/cli.yml: Remove *.cdx.json from upload glob, remove CLI_SBOM_DATA HTML comment block
• .github/workflows/finalize-release.yml: Remove CLI_SBOM extraction, simplify SBOM rendering to container-only
• CLAUDE.md: Remove CLI SBOM references from CI documentation
• Reverts Release Please v0.3.7 commit, tag + release already deleted

Test plan

• All pre-commit and pre-push hooks pass
• GoReleaser config validates (no sboms stanza)
• Next v0.3.7 release: GoReleaser should complete without syft errors

🤖 Generated with Claude Code

Summary by CodeRabbit

• Revert
  • Version rolled back from 0.3.7 to 0.3.6
  • SBOM artifacts removed from release packages

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: b1c81aa8-4487-4c44-bdbd-d98f24276a9d

📥 Commits

Reviewing files that changed from the base of the PR and between 139dfc1 and 4830fd4.

📒 Files selected for processing (8)

• .github/.release-please-manifest.json
• .github/CHANGELOG.md
• .github/workflows/cli.yml
• .github/workflows/finalize-release.yml
• CLAUDE.md
• cli/.goreleaser.yml
• pyproject.toml
• src/synthorg/__init__.py

---

Walkthrough

This PR reverts the version number from 0.3.7 to 0.3.6 across configuration and source files, including the release manifest, project version metadata, and commitment configuration. Simultaneously, SBOM (Software Bill of Materials) generation and distribution are removed from the CLI release process by eliminating the sboms section from GoReleaser configuration, removing SBOM artifact uploads from release workflows, and deleting SBOM data extraction and processing logic. Documentation is updated to reflect these removals, and the changelog entry for 0.3.7 is deleted.

Suggested labels

autorelease: tagged

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses persistent issues with the 0.3.7 release process by removing the problematic CLI Software Bill of Materials (SBOM) generation step, which was failing due to Syft's inability to scan Go binary archives. The changes also involve reverting the project's version to 0.3.6 to allow for a fresh and successful 0.3.7 release attempt, ensuring that the CI/CD pipeline is robust and accurate for future deployments.

Highlights

• CLI SBOM Generation Removed: Eliminated the generation of Software Bill of Materials (SBOMs) for CLI binaries using Syft in the CI pipeline, as Syft was unable to correctly process Go binary archives.
• Release Version Reset: Reverted the project version from 0.3.7 back to 0.3.6 across configuration and source files to facilitate a clean re-attempt of the 0.3.7 release following previous failures.
• CI Workflow Updates: Modified GitHub Actions workflows (cli.yml, finalize-release.yml) to remove references to CLI SBOM generation and streamline the release finalization process to focus primarily on container SBOMs.
• Documentation Alignment: Updated the CLAUDE.md documentation to reflect the removal of CLI SBOM generation from the CI process.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/cli.yml
  • .github/workflows/finalize-release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.46%. Comparing base (139dfc1) to head (4830fd4).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #595   +/-   ##
=======================================
  Coverage   92.46%   92.46%           
=======================================
  Files         551      551           
  Lines       27681    27681           
  Branches     2678     2678           
=======================================
  Hits        25595    25595           
  Misses       1634     1634           
  Partials      452      452           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gemini-code-assist]

Code Review

This pull request addresses a failing CI release process by removing the problematic SBOM generation for CLI binaries. The changes include removing the sboms configuration from .goreleaser.yml, updating the CI documentation in CLAUDE.md to reflect this, and resetting the project version from 0.3.7 back to 0.3.6 across multiple files to allow for a clean release attempt. The changes are consistent and directly address the issue described.