Skip to content

Commit 5ac054a

Browse files
authored
[codex] Draft sbom-diff-and-risk v0.9.0 release notes
1 parent b556aca commit 5ac054a

1 file changed

Lines changed: 106 additions & 0 deletions

File tree

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
# sbom-diff-and-risk v0.9.0
2+
3+
`v0.9.0` is the policy JSON sidecar and consumer integration usability
4+
release.
5+
6+
## Theme
7+
8+
Policy-focused machine-readable output for CI consumers.
9+
10+
`v0.9.0` focuses on making local policy outcomes easier to consume without
11+
walking the full JSON report. It adds a policy-only JSON sidecar, checked-in
12+
policy sidecar examples, and copyable GitHub Actions consumer guidance.
13+
14+
This release keeps the dependency diff model, existing full-report JSON shape,
15+
Markdown output behavior, SARIF output behavior, release workflows, and
16+
publishing status unchanged except for the new optional CLI output surface.
17+
18+
## Highlights
19+
20+
- Added optional `--policy-json PATH` support to `sbom-diff-risk compare`.
21+
- Added a checked-in `examples/sample-policy.json` artifact for the policy
22+
sidecar shape.
23+
- Added a GitHub Actions policy consumer example at
24+
`examples/github-actions-policy-consumer.yml`.
25+
- Updated reviewer-facing evidence documentation for reproducing and consuming
26+
`outputs/policy.json`.
27+
- Kept production PyPI intentionally deferred.
28+
29+
## Policy JSON sidecar
30+
31+
`--policy-json PATH` writes policy-related JSON sections from the same report
32+
model used by `--out-json`. It does not introduce a second policy schema.
33+
34+
The sidecar includes:
35+
36+
- `policy_evaluation`
37+
- `blocking_findings`
38+
- `warning_findings`
39+
- `suppressed_findings`
40+
- `rule_catalog`
41+
- `summary.policy` when policy evaluation is applied
42+
- provenance policy sections when those sections are relevant
43+
44+
The sidecar intentionally omits full-report `components` and `risks`. Consumers
45+
that need the complete dependency diff should continue to use `--out-json`.
46+
47+
When policy is not applied, the sidecar records
48+
`policy_evaluation.applied` as `false` and omits `summary.policy`.
49+
50+
## Consumer integration examples
51+
52+
`examples/sample-policy.json` is generated from the existing CycloneDX example
53+
pair with `examples/policy-strict.yml`. It is locked by tests and is expected to
54+
match the policy-related sections in the corresponding full policy-fail JSON
55+
report.
56+
57+
`examples/github-actions-policy-consumer.yml` shows how a consumer repository
58+
can:
59+
60+
- install from the GitHub Release wheel, not production PyPI
61+
- run `sbom-diff-risk compare` with `--policy-json`
62+
- keep `outputs/policy.json` as a CI artifact
63+
- upload evidence even when local policy fails
64+
- fail the job from `summary.policy`
65+
66+
The example is documentation only. It is not a workflow for this repository and
67+
does not change this repository's GitHub Actions configuration.
68+
69+
## Compatibility and boundaries
70+
71+
- Existing `--out-json` behavior remains the full JSON report output.
72+
- Existing `--summary-json PATH` behavior remains summary-only output.
73+
- Existing Markdown output behavior is unchanged.
74+
- Existing SARIF output behavior is unchanged.
75+
- Existing policy pass, warn, and fail behavior is unchanged.
76+
- Existing exit codes are unchanged.
77+
- No hidden network behavior was added.
78+
- No CVE lookup or CVE resolution was added.
79+
- Policy findings remain local policy decisions, not dependency safety
80+
verdicts.
81+
- Consumers should treat unrecognized future fields as additive report data.
82+
83+
## Distribution status
84+
85+
- Production PyPI publishing remains intentionally deferred.
86+
- This release is expected to be distributed through GitHub Release assets.
87+
- The consumer examples install from GitHub Release assets or local checkout,
88+
not production PyPI.
89+
- This release does not publish to TestPyPI.
90+
- This release does not publish to production PyPI.
91+
- No production PyPI workflow is added.
92+
93+
## Not in this release
94+
95+
- No package safety verdicts.
96+
- No vulnerability scanning.
97+
- No CVE resolution.
98+
- No default network enrichment.
99+
- No workflow changes for this repository.
100+
- No TestPyPI publishing.
101+
- No production PyPI publishing.
102+
- No production PyPI workflow.
103+
104+
This PR only drafts release notes. It does not bump package version, create a
105+
tag, create a GitHub Release, publish to PyPI/TestPyPI, or change runtime
106+
behavior.

0 commit comments

Comments
 (0)