Skip to content

Commit 0012cc5

Browse files
authored
[codex] Release sbom-diff-and-risk v0.5.0
Bump sbom-diff-and-risk to v0.5.0, update SARIF sample metadata and release notes, and keep production PyPI intentionally deferred.
1 parent 60601c9 commit 0012cc5

8 files changed

Lines changed: 44 additions & 10 deletions

File tree

tools/sbom-diff-and-risk/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# sbom-diff-and-risk
22

3-
v0.5 PR 5 adds a production PyPI publishing decision gate. Production PyPI publishing remains deferred until the documented prerequisites are complete, dependency analysis stays local and deterministic by default, and CLI analysis behavior is unchanged.
3+
v0.5.0 is the GitHub Release for the production PyPI decision gate. The TestPyPI dry-run is completed, production PyPI publishing is intentionally deferred, dependency analysis stays local and deterministic by default, and CLI analysis behavior is unchanged.
44

55
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
66

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
# v0.5.0
2+
3+
Theme: production PyPI decision gate
4+
5+
## Highlights
6+
7+
- Added the production PyPI publishing decision gate for `sbom-diff-and-risk`.
8+
- Confirmed the intended production package name remains `sbom-diff-and-risk`.
9+
- Documented the future production publisher identity and workflow shape without enabling a production upload path.
10+
- Clarified that TestPyPI, GitHub workflow artifact attestations, GitHub Release asset verification, and PyPI Trusted Publishing provenance are separate trust surfaces.
11+
12+
## Distribution status
13+
14+
- TestPyPI dry-run completed; production PyPI intentionally deferred.
15+
- The TestPyPI package exists for version `0.4.1`.
16+
- The `v0.5.0` release is a GitHub Release and package version bump only.
17+
- No production PyPI workflow is added in this release.
18+
- No production PyPI upload is performed by this release.
19+
20+
## Packaging and release alignment
21+
22+
- Bumped the package version to `0.5.0`.
23+
- Synced `sbom_diff_risk.__version__` with the package metadata.
24+
- Updated sample SARIF metadata to report `0.5.0`.
25+
- Updated the README top-level release narrative for the v0.5.0 gate.
26+
27+
## Not in this release
28+
29+
- No analyzer features were added.
30+
- No SARIF behavior changes were added beyond sample metadata version alignment.
31+
- No policy behavior changes were added.
32+
- No hidden network behavior was added.
33+
- No production PyPI publishing path was enabled.
34+

tools/sbom-diff-and-risk/docs/pypi-production-publishing-decision.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ PR 5 does not add an enabled production publishing workflow and does not publish
1111
The production gate is intentionally conservative because:
1212

1313
- the production PyPI project does not currently exist under the intended name
14-
- the package metadata still declares version `0.4.1`
14+
- the package metadata has moved to `0.5.0` for the GitHub Release, but production PyPI publishing has not been enabled
1515
- the first production upload should be a deliberate release version, not an old dry-run version
1616
- the production PyPI pending publisher or trusted publisher has not been configured
1717
- the production GitHub environment has not yet been confirmed

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.4.1",
11-
"semanticVersion": "0.4.1",
10+
"version": "0.5.0",
11+
"semanticVersion": "0.5.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.4.1",
11-
"semanticVersion": "0.4.1",
10+
"version": "0.5.0",
11+
"semanticVersion": "0.5.0",
1212
"rules": [
1313
{
1414
"id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.4.1",
11-
"semanticVersion": "0.4.1",
10+
"version": "0.5.0",
11+
"semanticVersion": "0.5.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "sbom-diff-and-risk"
7-
version = "0.4.1"
7+
version = "0.5.0"
88
description = "Deterministic SBOM diff CLI with heuristic risk reporting."
99
readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
1010
requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22

33
__all__ = ["__version__"]
44

5-
__version__ = "0.4.1"
5+
__version__ = "0.5.0"

0 commit comments

Comments
 (0)