Skip to content

Commit 02b0bb4

Browse files
authored
[codex] sbom-diff-and-risk v0.4 release hardening (#11)
- align sbom-diff-and-risk workflow baselines and naming - document workflow artifact, release asset, and PyPI publishing readiness paths - clarify the split between tool verification and dependency provenance analysis
1 parent 11e5805 commit 02b0bb4

8 files changed

Lines changed: 418 additions & 19 deletions

File tree

.github/workflows/sbom-diff-and-risk-ci.yml

Lines changed: 62 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,12 @@
11
name: sbom-diff-and-risk-ci
2+
run-name: sbom-diff-and-risk ci / ${{ github.event_name }} / ${{ github.ref_name }}
23

34
on:
45
workflow_dispatch:
56
push:
7+
# Version tags provide a minimal release-build scaffold without changing publishing.
8+
tags:
9+
- "v*"
610
paths:
711
- ".github/workflows/sbom-diff-and-risk-ci.yml"
812
- "tools/sbom-diff-and-risk/**"
@@ -11,8 +15,12 @@ on:
1115
- ".github/workflows/sbom-diff-and-risk-ci.yml"
1216
- "tools/sbom-diff-and-risk/**"
1317

18+
permissions: {}
19+
1420
env:
21+
SBOM_DIFF_RISK_PYTHON_VERSION: "3.11"
1522
SBOM_DIFF_RISK_DIST_ARTIFACT_NAME: sbom-diff-and-risk-dist
23+
SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX: sbom-diff-and-risk
1624

1725
jobs:
1826
test:
@@ -24,12 +32,12 @@ jobs:
2432
working-directory: tools/sbom-diff-and-risk
2533
steps:
2634
- name: Check out repository
27-
uses: actions/checkout@v4
35+
uses: actions/checkout@v5
2836

2937
- name: Set up Python
30-
uses: actions/setup-python@v5
38+
uses: actions/setup-python@v6
3139
with:
32-
python-version: "3.11"
40+
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}
3341

3442
- name: Upgrade pip
3543
run: python -m pip install --upgrade pip
@@ -70,12 +78,12 @@ jobs:
7078
working-directory: tools/sbom-diff-and-risk
7179
steps:
7280
- name: Check out repository
73-
uses: actions/checkout@v4
81+
uses: actions/checkout@v5
7482

7583
- name: Set up Python
76-
uses: actions/setup-python@v5
84+
uses: actions/setup-python@v6
7785
with:
78-
python-version: "3.11"
86+
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}
7987

8088
- name: Upgrade pip
8189
run: python -m pip install --upgrade pip
@@ -99,3 +107,51 @@ jobs:
99107
uses: actions/attest@v4
100108
with:
101109
subject-path: ${{ github.workspace }}/tools/sbom-diff-and-risk/dist/*
110+
111+
publish-release-assets:
112+
# Publish the exact built wheel/sdist bytes from this run as release assets.
113+
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
114+
needs: build-and-attest
115+
runs-on: ubuntu-latest
116+
permissions:
117+
contents: write
118+
steps:
119+
- name: Download built distribution artifact
120+
uses: actions/download-artifact@v4
121+
with:
122+
name: ${{ env.SBOM_DIFF_RISK_DIST_ARTIFACT_NAME }}
123+
path: release-assets
124+
125+
- name: Publish release assets from CI-built distributions
126+
shell: bash
127+
env:
128+
GH_TOKEN: ${{ github.token }}
129+
RELEASE_TAG: ${{ github.ref_name }}
130+
RELEASE_TITLE_PREFIX: ${{ env.SBOM_DIFF_RISK_RELEASE_TITLE_PREFIX }}
131+
run: |
132+
set -euo pipefail
133+
shopt -s nullglob
134+
assets=(release-assets/*.whl release-assets/*.tar.gz)
135+
if [ "${#assets[@]}" -eq 0 ]; then
136+
echo "No release assets found in release-assets/" >&2
137+
exit 1
138+
fi
139+
140+
title="${RELEASE_TITLE_PREFIX} ${RELEASE_TAG}"
141+
142+
if gh release view "${RELEASE_TAG}" >/dev/null 2>&1; then
143+
is_draft="$(gh release view "${RELEASE_TAG}" --json isDraft -q .isDraft)"
144+
if [ "${is_draft}" != "true" ]; then
145+
echo "Release ${RELEASE_TAG} already exists and is published; leaving assets unchanged."
146+
exit 0
147+
fi
148+
else
149+
gh release create "${RELEASE_TAG}" \
150+
--draft \
151+
--verify-tag \
152+
--title "${title}" \
153+
--notes "Release assets for ${RELEASE_TAG}. See docs/release-provenance.md for provenance verification guidance."
154+
fi
155+
156+
gh release upload "${RELEASE_TAG}" "${assets[@]}" --clobber
157+
gh release edit "${RELEASE_TAG}" --draft=false --title "${title}"

.github/workflows/sbom-diff-and-risk-code-scanning.yml

Lines changed: 23 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
name: sbom-diff-and-risk-code-scanning
2+
run-name: sbom-diff-and-risk code scanning / ${{ github.event_name }} / ${{ github.ref_name }}
23

34
on:
45
workflow_dispatch:
@@ -7,6 +8,14 @@ on:
78
- ".github/workflows/sbom-diff-and-risk-code-scanning.yml"
89
- "tools/sbom-diff-and-risk/**"
910

11+
permissions: {}
12+
13+
env:
14+
SBOM_DIFF_RISK_PYTHON_VERSION: "3.11"
15+
SBOM_DIFF_RISK_SARIF_ARTIFACT_NAME: sbom-diff-and-risk-sarif
16+
SBOM_DIFF_RISK_SARIF_CATEGORY: sbom-diff-risk/example
17+
SBOM_DIFF_RISK_SARIF_FILE: outputs/report.sarif
18+
1019
jobs:
1120
upload-sarif:
1221
runs-on: ubuntu-latest
@@ -23,7 +32,10 @@ jobs:
2332
- name: Set up Python
2433
uses: actions/setup-python@v6
2534
with:
26-
python-version: "3.11"
35+
python-version: ${{ env.SBOM_DIFF_RISK_PYTHON_VERSION }}
36+
37+
- name: Upgrade pip
38+
run: python -m pip install --upgrade pip
2739

2840
- name: Install sbom-diff-and-risk
2941
run: python -m pip install -e .[dev]
@@ -34,10 +46,17 @@ jobs:
3446
python -m sbom_diff_risk.cli compare \
3547
--before examples/sarif_before.json \
3648
--after examples/sarif_after.json \
37-
--out-sarif outputs/report.sarif
49+
--out-sarif ${{ env.SBOM_DIFF_RISK_SARIF_FILE }}
50+
51+
- name: Upload SARIF workflow artifact
52+
uses: actions/upload-artifact@v4
53+
with:
54+
name: ${{ env.SBOM_DIFF_RISK_SARIF_ARTIFACT_NAME }}
55+
path: tools/sbom-diff-and-risk/${{ env.SBOM_DIFF_RISK_SARIF_FILE }}
56+
if-no-files-found: error
3857

3958
- name: Upload SARIF to code scanning
4059
uses: github/codeql-action/upload-sarif@v4
4160
with:
42-
sarif_file: tools/sbom-diff-and-risk/outputs/report.sarif
43-
category: sbom-diff-risk/example
61+
sarif_file: tools/sbom-diff-and-risk/${{ env.SBOM_DIFF_RISK_SARIF_FILE }}
62+
category: ${{ env.SBOM_DIFF_RISK_SARIF_CATEGORY }}

tools/sbom-diff-and-risk/README.md

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,18 @@
11
# sbom-diff-and-risk
22

3-
v0.3.0 adds opt-in PyPI provenance enrichment, provenance-aware policy and reporting, optional advisory Scorecard signals, and self-provenance verification guidance for workflow-built artifacts.
3+
v0.4 keeps dependency analysis local and deterministic by default while improving how consumers verify `sbom-diff-and-risk` itself through workflow-built artifacts and GitHub Release assets.
44

55
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
66

77
It uses conservative heuristics for change intelligence. By default it does not resolve CVEs, does not act as a reputation oracle, and does not perform hidden network enrichment.
88

9+
## Start Here
10+
11+
This project has two different provenance stories:
12+
13+
1. If you want to verify `sbom-diff-and-risk` itself, start with [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md).
14+
2. If you want to use `sbom-diff-and-risk` to analyze third-party dependency provenance, start with [Dependency provenance analysis](#dependency-provenance-analysis-opt-in) and [Dependency provenance reporting](#dependency-provenance-reporting).
15+
916
## Scope
1017

1118
- Normalize two local inputs into a shared component schema.
@@ -163,7 +170,9 @@ sbom-diff-risk compare \
163170

164171
Offline mode remains the default. No network access occurs unless `--enrich-pypi` or `--enrich-scorecard` is set explicitly.
165172

166-
## Opt-in Provenance Enrichment
173+
## Dependency Provenance Analysis (Opt-in)
174+
175+
This section is about analyzing third-party package provenance signals. It is not about verifying the `sbom-diff-and-risk` tool's own release artifacts.
167176

168177
PyPI provenance and integrity enrichment is explicit and additive in this PR:
169178

@@ -186,7 +195,7 @@ sbom-diff-risk compare \
186195
--out-json outputs/report-enriched.json
187196
```
188197

189-
## Provenance-Aware Reporting
198+
## Dependency Provenance Reporting
190199

191200
When provenance enrichment is enabled, the reports surface trust signals directly instead of burying them in component evidence:
192201

@@ -221,17 +230,26 @@ If you want policy gating, make it explicit with a v3 policy such as [policy-sco
221230

222231
Setting `minimum_scorecard_score` alone is advisory metadata for review. It only affects policy outcomes when `scorecard_below_threshold` is configured explicitly in `block_on`, `warn_on`, or `ignore_rules`.
223232

224-
## Self-provenance
233+
## Tool Provenance And Verification
234+
235+
This section is about verifying `sbom-diff-and-risk` itself. If you want the shortest path to the right verification instructions, start with [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md).
225236

226237
This repository also records provenance for `sbom-diff-and-risk` itself by generating GitHub artifact attestations for the wheel and source distribution produced by the `sbom-diff-and-risk-ci` workflow.
227238

228239
- the attested files are the wheel and source distribution built by `python -m build` from `tools/sbom-diff-and-risk`
229240
- the build files are uploaded together as the `sbom-diff-and-risk-dist` workflow artifact
241+
- version-tag runs also publish those same built files as GitHub Release assets for the matching tag
230242
- only trusted non-PR runs publish the attestation
231-
- consumers can verify provenance with GitHub's attestation tooling after downloading one of those artifacts
243+
- consumers can verify workflow-built artifacts with `gh attestation verify`
244+
- consumers can verify immutable releases and downloaded release assets with `gh release verify` and `gh release verify-asset`
232245
- this complements the tool's analysis of third-party supply-chain inputs, but it does not replace that analysis
233246

234-
See [docs/self-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/self-provenance.md) for the exact attested filenames, where the evidence appears in GitHub, and a run-by-run verification flow for consumers.
247+
Verification docs:
248+
249+
- [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md) for the quick decision guide
250+
- [docs/self-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/self-provenance.md) for workflow-artifact attestation
251+
- [docs/release-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/release-provenance.md) for release-asset verification and immutable release guidance
252+
- [docs/pypi-trusted-publishing-readiness.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/pypi-trusted-publishing-readiness.md) for PyPI publishing prerequisites and sequencing
235253

236254
## Examples
237255

@@ -306,8 +324,14 @@ sbom-diff-risk compare \
306324

307325
For GitHub code scanning integration guidance and a minimal upload workflow, see [docs/github-code-scanning.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/github-code-scanning.md).
308326

327+
For the shortest path to the tool-verification docs, start with [docs/verification.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/verification.md).
328+
309329
For details on how this repository attests the tool's own wheel and source distribution artifacts, see [docs/self-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/self-provenance.md).
310330

331+
For details on how version-tag releases publish those same build outputs as release assets, and how consumers can verify immutable releases with GitHub CLI, see [docs/release-provenance.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/release-provenance.md).
332+
333+
For PyPI Trusted Publishing readiness, prerequisites, and the reasons this repository does not enable PyPI upload yet, see [docs/pypi-trusted-publishing-readiness.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/pypi-trusted-publishing-readiness.md).
334+
311335
## Parser Boundaries
312336

313337
Deterministic local mode intentionally supports a conservative subset of packaging syntax. The detailed matrix lives in [docs/parser-boundaries.md](D:/OneDrive/Code/scientific-computing-toolkit/tools/sbom-diff-and-risk/docs/parser-boundaries.md).

tools/sbom-diff-and-risk/docs/github-code-scanning.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ The example workflow in `.github/workflows/sbom-diff-and-risk-code-scanning.yml`
1111
- checks out the repository
1212
- installs Python and the local tool
1313
- runs `sbom-diff-risk compare ... --out-sarif`
14+
- uploads the generated SARIF file as the workflow artifact `sbom-diff-and-risk-sarif`
1415
- uploads the generated SARIF file with `github/codeql-action/upload-sarif`
1516

1617
The example intentionally uses local example inputs and does not depend on secrets or network enrichment.
@@ -51,6 +52,18 @@ Set a SARIF category when you upload more than one analysis for the same commit
5152

5253
If you upload multiple SARIF files for the same tool and commit without distinct categories, later uploads replace earlier ones. In GitHub Actions, set the `category:` input on `github/codeql-action/upload-sarif`. Outside Actions, use `runAutomationDetails.id` in the SARIF file.
5354

55+
## Manual verification for one workflow run
56+
57+
After merging a change that touches `tools/sbom-diff-and-risk` or the workflow file itself:
58+
59+
1. Open the repository's **Actions** tab.
60+
2. Open a successful `sbom-diff-and-risk-code-scanning` run for the pull request, or trigger it manually with `workflow_dispatch`.
61+
- the visible run name starts with `sbom-diff-and-risk code scanning / <event> / <ref>`
62+
3. Confirm that the `upload-sarif` job completed successfully.
63+
4. Download the `sbom-diff-and-risk-sarif` artifact and confirm it contains `report.sarif`.
64+
5. Open the repository's **Security** tab, then **Code scanning**.
65+
6. Confirm the uploaded analysis appears under the category `sbom-diff-risk/example`.
66+
5467
## What this integration does not cover
5568

5669
- It does not add CVE lookup or advisory enrichment.

0 commit comments

Comments
 (0)