Skip to content

Commit 1bbaabc

Browse files
authored
[codex] Release sbom-diff-and-risk v0.6.0
Release sbom-diff-and-risk v0.6.0 metadata and notes for machine-readable report consumption and summary-output usability. No runtime behavior, workflow, production PyPI, or PyPI/TestPyPI publishing changes.
1 parent a730ffe commit 1bbaabc

7 files changed

Lines changed: 17 additions & 18 deletions

File tree

tools/sbom-diff-and-risk/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# sbom-diff-and-risk
22

3-
v0.5.1 is a release-only maintenance update for the GitHub Release checksum manifest path. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
3+
v0.6.0 is the machine-readable report consumption release. It documents the stable JSON `summary` contract, adds report schema guidance, and includes optional `--summary-json PATH` output for consumers that only need `report.json["summary"]`. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
44

55
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
66

tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
1-
# sbom-diff-and-risk v0.6.0 draft release notes
1+
# sbom-diff-and-risk v0.6.0
22

3-
These are draft release notes for the planned `v0.6.0` release. This PR does not tag or publish `v0.6.0`, does not create a GitHub Release, and does not publish to PyPI or TestPyPI.
3+
`v0.6.0` is the machine-readable report consumption and summary-output usability release.
44

55
## Theme
66

77
Machine-readable report consumption and summary-output usability.
88

9-
`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, package version, or publishing status.
9+
`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, or publishing status.
1010

1111
## Highlights
1212

@@ -52,19 +52,18 @@ These surfaces remain distinct: GitHub workflow artifact attestations, GitHub Re
5252

5353
## Distribution status
5454

55-
- Latest GitHub Release remains `v0.5.1` until a future release PR creates the `v0.6.0` tag and release.
56-
- This PR does not tag or publish `v0.6.0`.
57-
- This PR does not create a GitHub Release.
58-
- This PR does not publish to TestPyPI.
59-
- This PR does not publish to production PyPI.
55+
- The `v0.6.0` GitHub Release is expected to be created from the tag-gated release workflow.
56+
- Release assets are expected to include the wheel, source distribution, and `sbom-diff-and-risk-SHA256SUMS.txt`.
57+
- TestPyPI Trusted Publishing dry-run validation remains documented as pre-production evidence.
58+
- This release does not publish to TestPyPI.
59+
- This release does not publish to production PyPI.
6060
- Production PyPI remains intentionally deferred.
6161

6262
## Not in this release
6363

6464
- No Markdown output behavior changed.
6565
- No SARIF behavior changed.
6666
- No workflow behavior changed.
67-
- No package version bump is included in this draft-notes PR.
6867
- No production PyPI workflow is added.
6968
- No hidden network behavior was added.
7069
- No CVE lookup or CVE resolution was added.

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.5.1",
11-
"semanticVersion": "0.5.1",
10+
"version": "0.6.0",
11+
"semanticVersion": "0.6.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.5.1",
11-
"semanticVersion": "0.5.1",
10+
"version": "0.6.0",
11+
"semanticVersion": "0.6.0",
1212
"rules": [
1313
{
1414
"id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.5.1",
11-
"semanticVersion": "0.5.1",
10+
"version": "0.6.0",
11+
"semanticVersion": "0.6.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "sbom-diff-and-risk"
7-
version = "0.5.1"
7+
version = "0.6.0"
88
description = "Deterministic SBOM diff CLI with heuristic risk reporting."
99
readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
1010
requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22

33
__all__ = ["__version__"]
44

5-
__version__ = "0.5.1"
5+
__version__ = "0.6.0"

0 commit comments

Comments
 (0)