chore: prepare 0.26.1 (#1840)

* bump version, update changelog

* add dependabot; security.md; SLSA provenance

* security.md

* docs: add security md via GH; update changelog and readme.

Author: janfb

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/publish.yml

@@ -66,8 +66,9 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
-      contents: write  # IMPORTANT: mandatory for making GitHub Releases
-      id-token: write  # IMPORTANT: mandatory for sigstore
+      contents: write  # mandatory for making GitHub Releases
+      id-token: write  # mandatory for sigstore
+      attestations: write  # mandatory for SLSA provenance
 
     steps:
     - name: Download all the dists
@@ -81,6 +82,10 @@ jobs:
         inputs: >-
           ./dist/*.tar.gz
           ./dist/*.whl
+    - name: Attest build provenance
+      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+      with:
+        subject-path: "dist/*.tar.gz,dist/*.whl"
     - name: Ensure GitHub Release exists (no-op if already exists)
       env:
         GITHUB_TOKEN: ${{ github.token }}
@@ -100,3 +105,4 @@ jobs:
         gh release upload
         "$TAG_NAME" dist/**
         --repo '${{ github.repository }}'
+        --clobber

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## v0.26.1
+
+### ⚠️ Breaking Changes
+
+* **Make PyMC and Pyro optional dependencies** ([#1835](https://github.com/sbi-dev/sbi/issues/1835)): `pip install sbi` no longer installs `pymc` or `pyro-ppl`. Users who need Pyro or PyMC MCMC samplers should install extras:
+  * `pip install "sbi[pyro]"` for Pyro samplers (`hmc_pyro`, `nuts_pyro`)
+  * `pip install "sbi[pymc]"` for PyMC samplers (`slice_pymc`, `hmc_pymc`, `nuts_pymc`)
+  * `pip install "sbi[all]"` for both
+  * Using a Pyro/PyMC method without the dependency installed raises a clear `ImportError` with install instructions.
+
+### 🐛 Bug Fixes
+
+* **Fix TARP z-scoring bug** ([#1832](https://github.com/sbi-dev/sbi/issues/1832)): Reference points are now z-scored alongside `thetas` and `posterior_samples` when `z_score_theta=True`, fixing incorrect distance calculations that masked bias detection.
+* **Fix broken `biased_toy_gaussian` test helper**: Rewrote to create actual location bias (posterior mean shifted from truth) instead of the previous NaN-producing formula.
+
+### 📖 Documentation
+
+* Streamlined README installation section, recommend `uv` as default.
+* Added optional dependency install instructions to README, installation guide, and relevant tutorials.
+
+### 🔧 Improvements
+
+* **Change default `num_bins` in TARP**: `run_tarp` and `_run_tarp` now default to `num_bins=None` (auto-scales to `num_sims // 10`) instead of the hardcoded `30`, improving KS test power for larger sample sizes.
+
+### 🔒 Security
+
+* Added SLSA build provenance attestations to the release workflow.
+* Added Dependabot for automated GitHub Actions version updates.
+* Added `SECURITY.md` with vulnerability disclosure policy.
+* Fixed release uploads with `--clobber` flag.
+
 ## v0.26.0
 
 ### ✨ Highlights

README.md

@@ -186,7 +186,8 @@ We welcome any feedback on how `sbi` is working for your inference problems (see
 reports, pull requests, and other feedback (see
 [contribute](https://sbi-dev.github.io/sbi/latest/contribute/)). We wish to maintain a
 positive and respectful community; please read our [Code of
-Conduct](CODE_OF_CONDUCT.md).
+Conduct](CODE_OF_CONDUCT.md). To report a security vulnerability, please see our
+[Security Policy](SECURITY.md).
 
 ## Acknowledgments
 

sbi/__version__.py

@@ -1,6 +1,6 @@
 # This file is part of sbi, a toolkit for simulation-based inference. sbi is licensed
 # under the Apache License Version 2.0, see <https://www.apache.org/licenses/>
 
-VERSION = (0, 26, 0)
+VERSION = (0, 26, 1)
 
 __version__ = ".".join(map(str, VERSION))