You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/README.md
+18-4Lines changed: 18 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,11 +10,25 @@ It uses conservative heuristics for change intelligence. By default it does not
10
10
11
11
This project has two different provenance stories:
12
12
13
-
For a concise reviewer-facing overview, start with [docs/reviewer-brief.md](docs/reviewer-brief.md). For reproducible review evidence and verification commands, use [docs/reviewer-evidence-pack.md](docs/reviewer-evidence-pack.md). For machine-readable JSON output shape, see [docs/report-schema.md](docs/report-schema.md). For CI consumption of summary-only output, see [docs/summary-json-ci-cookbook.md](docs/summary-json-ci-cookbook.md).
14
-
For a consumer-facing GitHub Actions example, see [docs/github-actions-consumer-example.md](docs/github-actions-consumer-example.md).
13
+
For a concise reviewer-facing overview, start with
14
+
[docs/reviewer-brief.md](docs/reviewer-brief.md). For reproducible review
15
+
evidence and verification commands, use
16
+
[docs/reviewer-evidence-pack.md](docs/reviewer-evidence-pack.md). For
17
+
machine-readable JSON output shape, see
18
+
[docs/report-schema.md](docs/report-schema.md). For policy decision
1. If you want to verify `sbom-diff-and-risk` itself, start with [docs/verification.md](docs/verification.md).
17
-
2. If you want to use `sbom-diff-and-risk` to analyze third-party dependency provenance, start with [Dependency provenance analysis](#dependency-provenance-analysis-opt-in) and [Dependency provenance reporting](#dependency-provenance-reporting).
26
+
1. If you want to verify `sbom-diff-and-risk` itself, start with
27
+
[docs/verification.md](docs/verification.md).
28
+
2. If you want to use `sbom-diff-and-risk` to analyze third-party dependency
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/pypi-production-publishing-decision.md
+45-17Lines changed: 45 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,14 +4,21 @@ This page records the PR 5 production PyPI gate for `sbom-diff-and-risk`.
4
4
5
5
## PR 5 decision
6
6
7
-
Production PyPI publishing is **deferred, but conditionally allowed after the prerequisites below are complete**. In short: production PyPI is currently deferred.
8
-
9
-
PR 5 does not add an enabled production publishing workflow and does not publish to production PyPI. The successful TestPyPI Trusted Publishing dry-run proves that the package metadata can render on TestPyPI and that the TestPyPI OIDC path can work, but it is not automatic proof that production PyPI publishing is ready.
7
+
Production PyPI publishing is **deferred, but conditionally allowed after the
8
+
prerequisites below are complete**. In short: production PyPI is currently
9
+
deferred.
10
+
11
+
PR 5 does not add an enabled production publishing workflow and does not publish
12
+
to production PyPI. The successful TestPyPI Trusted Publishing dry-run proves
13
+
that the package metadata can render on TestPyPI and that the TestPyPI OIDC path
14
+
can work, but it is not automatic proof that production PyPI publishing is
15
+
ready.
10
16
11
17
The production gate is intentionally conservative because:
12
18
13
19
- the production PyPI project does not currently exist under the intended name
14
-
- the package metadata has moved to `0.5.0` for the GitHub Release, but production PyPI publishing has not been enabled
20
+
- the package metadata has moved beyond the TestPyPI dry-run version, but
21
+
production PyPI publishing has not been enabled
15
22
- the first production upload should be a deliberate release version, not an old dry-run version
16
23
- the production PyPI pending publisher or trusted publisher has not been configured
17
24
- the production GitHub environment has not yet been confirmed
@@ -26,18 +33,26 @@ As checked on April 26, 2026:
26
33
-`https://test.pypi.org/pypi/sbom-diff-and-risk/json` returned `200`
27
34
- TestPyPI reports `sbom-diff-and-risk` version `0.4.1`
28
35
29
-
This means the intended production project name is not currently visible on production PyPI, while the TestPyPI dry-run project exists. Treat the production name as available for this decision, but re-check immediately before configuration because PyPI can reserve, prohibit, or receive new projects at any time. The first production upload should use a production PyPI pending publisher unless the project is created by a maintainer before the publishing workflow is enabled.
36
+
This means the intended production project name is not currently visible on
37
+
production PyPI, while the TestPyPI dry-run project exists. Treat the production
38
+
name as available for this decision, but re-check immediately before
39
+
configuration because PyPI can reserve, prohibit, or receive new projects at any
40
+
time. The first production upload should use a production PyPI pending publisher
41
+
unless the project is created by a maintainer before the publishing workflow is
42
+
enabled.
30
43
31
44
## First production version
32
45
33
46
Do not publish `0.4.1` to production PyPI casually.
34
47
35
-
The first production PyPI version should be `0.5.0` only if v0.5 is approved as the first production package release. Otherwise, defer to a later GitHub release tag.
48
+
The first production PyPI version should be an explicitly approved current or
49
+
future GitHub release tag. Do not backfill an older release casually.
36
50
37
51
For the first production upload:
38
52
39
53
- the GitHub tag should be `v<version>`
40
-
-`tools/sbom-diff-and-risk/pyproject.toml` should declare the matching `<version>`
54
+
-`tools/sbom-diff-and-risk/pyproject.toml` should declare the matching
55
+
`<version>`
41
56
- the GitHub release and release assets should be available for the same tag
42
57
- the production PyPI workflow should run from the matching tag ref
43
58
- the production PyPI upload should use the checked distributions from that workflow run
@@ -55,23 +70,33 @@ Configure the production PyPI publisher to match this identity exactly:
55
70
| Trusted Publisher workflow name field |`sbom-diff-and-risk-pypi.yml`|
56
71
| GitHub environment |`pypi`|
57
72
58
-
If production PyPI still has no project for this name, configure a pending publisher for a new project. If the project exists by the time production publishing is implemented, add the trusted publisher to the existing project instead.
59
-
60
-
Do not create or document a PyPI API token for this workflow. Production upload should use Trusted Publishing / OIDC only.
73
+
If production PyPI still has no project for this name, configure a pending
74
+
publisher for a new project. If the project exists by the time production
75
+
publishing is implemented, add the trusted publisher to the existing project
76
+
instead.
77
+
78
+
Do not create or document a PyPI API token for this workflow. Production upload
79
+
should use Trusted Publishing / OIDC only.
61
80
62
81
PyPI-side setup should use these paths:
63
82
64
-
- for a new production project, create a pending publisher on production PyPI for project `sbom-diff-and-risk` with the owner, repository, workflow, and environment values above
65
-
- for an existing production project, open that project on production PyPI and add a trusted publisher with the same owner, repository, workflow, and environment values
66
-
- leave the environment field as `pypi`; if the PyPI publisher omits the environment, it will not match the future publish job identity
83
+
- for a new production project, create a pending publisher on production PyPI
84
+
for project `sbom-diff-and-risk` with the owner, repository, workflow, and
85
+
environment values above
86
+
- for an existing production project, open that project on production PyPI and
87
+
add a trusted publisher with the same owner, repository, workflow, and
88
+
environment values
89
+
- leave the environment field as `pypi`; if the PyPI publisher omits the
90
+
environment, it will not match the future publish job identity
67
91
- do not add a PyPI API token, PyPI password, or GitHub publishing secret as a fallback
68
92
69
93
## Prerequisites before enabling production publishing
70
94
71
95
Before adding `.github/workflows/sbom-diff-and-risk-pypi.yml`, maintainers should complete all of these checks:
72
96
73
97
- confirm the intended production package name still resolves as expected on production PyPI
74
-
- choose the first production version, likely `0.5.0` or a later release tag
98
+
- choose the first production version as an explicitly approved current or
99
+
future release tag
75
100
- update `pyproject.toml` to that version
76
101
- create or verify the matching GitHub tag and release assets
77
102
- create the GitHub environment named `pypi`
@@ -90,7 +115,7 @@ The future production workflow should:
90
115
- require an explicit boolean input such as `publish_to_pypi`
91
116
- require a confirmation string such as `publish sbom-diff-and-risk to production PyPI`
92
117
- require an expected version input and assert that it matches `pyproject.toml`
93
-
- require the run ref to be a version tag such as `refs/tags/v0.5.0`
118
+
- require the run ref to be a version tag such as `refs/tags/v<version>`
94
119
- build the wheel and source distribution once
95
120
- run `python -m twine check dist/*`
96
121
- upload the checked distributions as a workflow artifact
@@ -99,11 +124,14 @@ The future production workflow should:
99
124
- grant `id-token: write` only to the publish job
100
125
- avoid production upload on ordinary push or pull request events
101
126
102
-
The publish step should use `pypa/gh-action-pypi-publish@release/v1` without a `repository-url` override so it targets production PyPI.
127
+
The publish step should use `pypa/gh-action-pypi-publish@release/v1` without a
128
+
`repository-url` override so it targets production PyPI.
103
129
104
130
## Provenance boundaries
105
131
106
-
Production PyPI Trusted Publishing provenance, GitHub workflow artifact attestations, and GitHub Release asset verification answer related but different questions.
132
+
Production PyPI Trusted Publishing provenance, GitHub workflow artifact
133
+
attestations, and GitHub Release asset verification answer related but
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/reviewer-brief.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@
4
4
5
5
`sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
6
6
7
-
Current released version: `v0.6.0`.
7
+
Current released version: `v0.7.0`.
8
8
9
9
## Why this project matters
10
10
@@ -28,6 +28,7 @@ Dependency review often needs evidence that is stable enough for code review, CI
28
28
| What does the tool do? |`README.md`, examples, tests, and generated sample reports. |
29
29
| How can a reviewer reproduce the core evidence? |[reviewer-evidence-pack.md](reviewer-evidence-pack.md) for demo, release, TestPyPI, and SARIF verification paths. |
30
30
| What is the stable JSON shape? |[report-schema.md](report-schema.md) documents the machine-readable report structure and `summary` contract. |
31
+
| How are policy findings explained? |[policy-decision-explainability.md](policy-decision-explainability.md) documents the policy decision metadata in JSON reports. |
31
32
| Are default runs offline? | CLI docs, tests for no-enrichment behavior, and explicit enrichment flags. |
32
33
| Can code scanning consume the output? |`docs/github-code-scanning.md` and `examples/sample-sarif.sarif`. |
33
34
| Can the tool's own artifacts be verified? |`docs/self-provenance.md` for workflow artifact attestations. |
0 commit comments