ci: gitignore generated sbom.cdx.json so cargo publish sees a clean tree

[27Bslash6]

What

Add /sbom.cdx.json to .gitignore.

Why

The release workflow generates sbom.cdx.json in the repo root before cargo publish, which refuses to publish from a dirty working tree (files in the working directory contain changes not yet committed: sbom.cdx.json). This only surfaced once publish reached the crates.io step — earlier runs failed during Sigstore attestation. Ignoring the generated artifact keeps the tree clean while preserving cargo's dirty-check for everything else.

ci: type. Final fix in the 0.2.1 publish chain (attestation already proven green on the hosted runner).

Summary by CodeRabbit

• Chores
  • Updated configuration to exclude automatically generated release artefacts from version control, ensuring the build and release process completes without unexpected errors from uncommitted changes.

[coderabbitai]

Linter diff in the way? Review this PR in Change Stack to focus on meaningful changes and expand context only when needed.

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 64bb7ac1-9bd9-4797-8e22-d1321410fc35

📥 Commits

Reviewing files that changed from the base of the PR and between 1e6637c and 12fb858.

📒 Files selected for processing (1)

• .gitignore

---

Walkthrough

The .gitignore file is updated to exclude the generated SBOM (Software Bill of Materials) artefact /sbom.cdx.json. Comments document that this file is produced during the release workflow before cargo publish and must be ignored to prevent a dirty working tree from blocking publication.

Changes

.gitignore — SBOM Artefact Exclusion

Layer / File(s)	Summary
SBOM artefact gitignore entry .gitignore	.gitignore adds entries to ignore /sbom.cdx.json, a CI-generated artefact produced during the release workflow prior to cargo publish, with accompanying comments documenting its purpose and lifecycle.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• cachekit-io/cachekit-core#28: Both PRs modify .gitignore to exclude generated workflow or tooling artefacts, establishing a pattern for managing build-time outputs.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding sbom.cdx.json to gitignore to resolve cargo publish failures due to dirty working tree.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/sbom-gitignore

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}