Use this page when you are trying to figure out which provenance or verification instructions apply to sbom-diff-and-risk.
Use the tool provenance docs:
- self-provenance.md if you want to verify the workflow-built wheel or source distribution with
gh attestation verify - release-provenance.md if you want to verify a GitHub Release or a downloaded release asset with
gh release verifyorgh release verify-asset - pypi-trusted-publishing-readiness.md if you want to know whether this package is ready for PyPI Trusted Publishing
Current boundaries:
- the workflow name is
sbom-diff-and-risk-ci - the workflow artifact name is
sbom-diff-and-risk-dist - version-tag runs matching
v*can publish the same built files as GitHub Release assets - release assets produced by the updated workflow include
sbom-diff-and-risk-SHA256SUMS.txtfor local SHA256 verification of the wheel and source distribution - release verification depends on immutable releases being enabled for the repository
- the TestPyPI readiness workflow is
sbom-diff-and-risk-testpypi - the TestPyPI Trusted Publishing dry-run has completed for version
0.4.1 - production PyPI publishing remains deferred behind the gate in pypi-production-publishing-decision.md
Use the dependency-analysis docs in the README:
Current boundaries:
- default CLI behavior remains local and deterministic
- no hidden network access occurs unless enrichment flags are set explicitly
- dependency provenance analysis is about third-party packages, not about verifying the
sbom-diff-and-risktool's own artifacts - release verification and workflow artifact attestation do not change CLI analysis behavior
- Verify the tool itself: use
self-provenance.mdorrelease-provenance.md - Check downloaded release bytes: use the checksum manifest instructions in
release-provenance.md - Decide whether production PyPI publishing is ready: use
pypi-production-publishing-decision.md - Analyze dependencies with the tool: use the README's dependency provenance sections