Problem
When multiple CI pipelines build the same wheel version (same package name + version), the SBOM embedded in the wheel has no way to distinguish which pipeline produced it. The creationInfo section only records a timestamp and the fromager tool version, which is insufficient for tracing a wheel back to its origin build.
This matters in environments where several pipelines produce identical wheels and only the last one is uploaded to an index — retroactively determining provenance requires digging through CI logs.
Proposal
Add an optional SPDX 2.3 annotation to the generated SBOM that records the CI build and job identifiers. The annotation uses the standard SPDX annotations field with annotationType: OTHER and a semicolon-delimited key=value comment format:
"annotations": [
{
"annotationDate": "2026-06-18T14:30:00Z",
"annotationType": "OTHER",
"annotator": "Tool: fromager-0.88.0",
"comment": "build_id=12345;job_id=67890"
}
]CI environment detection
Values are auto-detected from well-known CI environment variables:
| Field |
GitLab CI |
GitHub Actions |
build_id |
CI_PIPELINE_ID |
GITHUB_RUN_ID |
job_id |
CI_JOB_ID |
(not available) |
For other CI systems (Jenkins, Tekton, etc.), two generic override environment variables are supported:
FROMAGER_BUILD_ID — maps to build_idFROMAGER_JOB_ID — maps to job_id
The FROMAGER_* variables take highest precedence and override any auto-detected values. Either or both can be set independently.
The annotation is only added when at least one identifier is resolved. Local developer builds (no CI env vars) are unaffected.
Opt-out
A new include_build_metadata boolean field on SbomSettings (default: True) allows suppressing these annotations:
sbom:
include_build_metadata: false
Problem
When multiple CI pipelines build the same wheel version (same package name + version), the SBOM embedded in the wheel has no way to distinguish which pipeline produced it. The
creationInfosection only records a timestamp and the fromager tool version, which is insufficient for tracing a wheel back to its origin build.This matters in environments where several pipelines produce identical wheels and only the last one is uploaded to an index — retroactively determining provenance requires digging through CI logs.
Proposal
Add an optional SPDX 2.3 annotation to the generated SBOM that records the CI build and job identifiers. The annotation uses the standard SPDX
annotationsfield withannotationType: OTHERand a semicolon-delimited key=value comment format:CI environment detection
Values are auto-detected from well-known CI environment variables:
build_idCI_PIPELINE_IDGITHUB_RUN_IDjob_idCI_JOB_IDFor other CI systems (Jenkins, Tekton, etc.), two generic override environment variables are supported:
FROMAGER_BUILD_ID— maps tobuild_idFROMAGER_JOB_ID— maps tojob_idThe
FROMAGER_*variables take highest precedence and override any auto-detected values. Either or both can be set independently.The annotation is only added when at least one identifier is resolved. Local developer builds (no CI env vars) are unaffected.
Opt-out
A new
include_build_metadataboolean field onSbomSettings(default:True) allows suppressing these annotations: