feat: log existing SBOM files found in wheels

Log any existing SBOM files in .dist-info/sboms/ at INFO level
during wheel metadata injection. This provides visibility into upstream
SBOMs (e.g. from maturin) before Fromager generates its own.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Martin Prpič <mprpic@redhat.com>

Author: 2 people

src/fromager/wheels.py

@@ -44,6 +44,24 @@
 FROMAGER_BUILD_REQ_PREFIX = "fromager"
 
 
+def _log_existing_sboms(
+    req: Requirement,
+    dist_info_dir: pathlib.Path,
+) -> None:
+    """Log any existing SBOM files found in the wheel's .dist-info/sboms/ directory."""
+    sboms_dir = dist_info_dir / "sboms"
+    if not sboms_dir.is_dir():
+        return
+    sbom_files = sorted(sboms_dir.iterdir())
+    if sbom_files:
+        names = [f.name for f in sbom_files]
+        logger.info(
+            "%s: found existing SBOM files in wheel: %s",
+            req.name,
+            ", ".join(names),
+        )
+
+
 def _extra_metadata_elfdeps(
     ctx: context.WorkContext,
     req: Requirement,
@@ -182,6 +200,8 @@ def add_extra_metadata_to_wheels(
         if not dist_info_dir.is_dir():
             raise ValueError(f"{wheel_file} does not contain {dist_info_dir.name}")
 
+        _log_existing_sboms(req, dist_info_dir)
+
         data_to_add = overrides.find_and_invoke(
             req.name,
             "add_extra_metadata_to_wheels",

tests/test_wheels.py

@@ -110,6 +110,40 @@ def test_add_extra_metadata_allows_legitimate_double_dots(
     mock_run.assert_called_once()
 
 
+def test_log_existing_sboms_when_present(
+    tmp_path: pathlib.Path, caplog: pytest.LogCaptureFixture
+) -> None:
+    """Verify that existing SBOM files in .dist-info/sboms/ are logged."""
+    req = Requirement("test_pkg==1.0.0")
+    dist_info_dir = tmp_path / "test_pkg-1.0.0.dist-info"
+    dist_info_dir.mkdir()
+    sboms_dir = dist_info_dir / "sboms"
+    sboms_dir.mkdir()
+    (sboms_dir / "cyclonedx.json").write_text("{}")
+    (sboms_dir / "other.spdx.json").write_text("{}")
+
+    with caplog.at_level("INFO", logger="fromager.wheels"):
+        wheels._log_existing_sboms(req, dist_info_dir)
+
+    assert "found existing SBOM files in wheel" in caplog.text
+    assert "cyclonedx.json" in caplog.text
+    assert "other.spdx.json" in caplog.text
+
+
+def test_log_existing_sboms_when_absent(
+    tmp_path: pathlib.Path, caplog: pytest.LogCaptureFixture
+) -> None:
+    """Verify no log output when .dist-info/sboms/ does not exist."""
+    req = Requirement("test_pkg==1.0.0")
+    dist_info_dir = tmp_path / "test_pkg-1.0.0.dist-info"
+    dist_info_dir.mkdir()
+
+    with caplog.at_level("INFO", logger="fromager.wheels"):
+        wheels._log_existing_sboms(req, dist_info_dir)
+
+    assert "SBOM" not in caplog.text
+
+
 def test_download_wheel_unquotes_url_encoded_filenames(tmp_path: pathlib.Path) -> None:
     """Test that download_wheel properly unquotes URL-encoded characters in filenames."""
     req = Requirement("test_pkg")