Yocto pipeline: error handling, gzip uploads, visibility flag#169
Merged
vpetersson merged 6 commits intomasterfrom Feb 23, 2026
Merged
Yocto pipeline: error handling, gzip uploads, visibility flag#169vpetersson merged 6 commits intomasterfrom
vpetersson merged 6 commits intomasterfrom
Conversation
Detect 403 "maximum components" errors and stop the Yocto pipeline immediately instead of repeating the same error for every remaining package. Also make the upload timeout configurable via SBOMIFY_UPLOAD_TIMEOUT env var for large SBOM files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Payloads over 1MB are automatically gzip-compressed before upload, with Content-Encoding: gzip header. A 50MB SPDX 3 file compresses to ~2MB, avoiding Cloudflare 524 upstream timeouts. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Creates components then PATCHes visibility (public/private/gated) since the create endpoint doesn't accept visibility directly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Limits SPDX 2.2 package processing to N packages. Hidden from help output, intended for testing against staging environments with component limits. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances the Yocto pipeline with improved error handling, performance optimizations, and new configuration options. The changes focus on making the pipeline more resilient to plan limits, reducing upload timeouts through compression, and providing better control over component visibility.
Changes:
- Added
PlanLimitErrorexception to detect and handle plan limit errors (403 with "maximum" in detail), enabling early pipeline termination instead of repeating errors thousands of times - Implemented automatic gzip compression for uploads over 1MB to avoid Cloudflare timeouts, reducing a 50MB SPDX 3 file to ~2MB
- Added
--visibilityCLI flag to set component visibility (public/private/gated) via PATCH after creation - Added hidden
--max-packagesflag for debugging/testing to limit SPDX 2.2 package processing - Made upload timeout configurable via
SBOMIFY_UPLOAD_TIMEOUTenvironment variable
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| sbomify_action/exceptions.py | Added PlanLimitError exception class extending APIError |
| sbomify_action/_yocto/api.py | Added plan limit detection in create_component, new patch_component_visibility function |
| sbomify_action/_yocto/pipeline.py | Added plan limit early-stop logic, visibility patching for new components, max-packages limiting |
| sbomify_action/_yocto/models.py | Added visibility and max_packages fields to YoctoConfig |
| sbomify_action/cli/main.py | Added --visibility and --max-packages CLI options to yocto command |
| sbomify_action/_upload/destinations/sbomify.py | Changed file reading to binary mode, added gzip compression for large files, configurable timeout |
| tests/test_yocto_api.py | Added tests for plan limit error detection and 403 error handling |
| tests/test_yocto_pipeline.py | Added test for plan limit early-stop behavior |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Fix ruff format issues in 4 files - Fix docstring/behavior mismatch on patch_component_visibility - Guard SBOMIFY_UPLOAD_TIMEOUT env var against invalid values Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ility pipeline Addresses remaining review comments: - 4 tests for patch_component_visibility API (success, failure warns, connection/timeout errors) - 3 tests for gzip compression in upload (small file uncompressed, large file compressed, ratio check) - 3 tests for visibility patching in pipeline (set on created only, not set when unconfigured, stops after plan limit) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Content-Encoding: gzip), reducing a 50MB SPDX 3 file to ~2MB and avoiding Cloudflare 524 upstream timeouts--visibilityflag: Set visibility (public/private/gated) on newly created components via create-then-PATCH--max-packageshidden flag: Debug/testing option to limit SPDX 2.2 package processingSBOMIFY_UPLOAD_TIMEOUTenv var overrides the default 120sTest plan
🤖 Generated with Claude Code