You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/README.md
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,16 +1,20 @@
1
1
# sbom-diff-and-risk
2
2
3
-
v1.0-rc.1 is the Policy Evidence release candidate. It fixes the reviewer path
4
-
for policy decision examples, evidence-confidence labels, a one-page policy
5
-
warning case, and copyable GitHub Actions consumer guidance. It keeps
6
-
dependency analysis local and deterministic by default, preserves the completed
7
-
TestPyPI dry-run story, and keeps production PyPI publishing intentionally
8
-
deferred.
3
+
Main is the `v1.0.0` Policy Evidence final candidate. The currently published
4
+
release remains `v1.0-rc.1` until the final tag is explicitly approved and
5
+
created. The selected release policy is a stable GitHub `v1.0.0` release while
6
+
production PyPI publishing remains intentionally deferred.
9
7
10
8
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
11
9
12
10
It uses conservative heuristics for change intelligence. By default it does not resolve CVEs, does not act as a reputation oracle, and does not perform hidden network enrichment.
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/release-provenance.md
+14Lines changed: 14 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,6 +9,20 @@ This document is about the second surface: verifying a GitHub Release and a down
9
9
10
10
This page is only about the `sbom-diff-and-risk` tool's own GitHub Releases. If you want the quick "which verification page do I need?" guide, start with [verification.md](verification.md).
11
11
12
+
## v1.0 release policy
13
+
14
+
Chosen policy: publish `v1.0.0` as the stable GitHub Release contract while
15
+
keeping production PyPI publishing deferred.
16
+
17
+
For `v1.0.0`, stability applies to the CLI, report schemas, policy decision
18
+
examples, evidence-confidence labels, reviewer case, and GitHub Release asset
19
+
verification path. It does not claim production PyPI availability. Until the
20
+
final tag is explicitly approved and created, `v1.0-rc.1` remains the current
21
+
published release candidate.
22
+
23
+
The tag workflow marks rc tags as prereleases and not Latest. It explicitly
24
+
marks a final tag such as `v1.0.0` as GitHub Latest.
25
+
12
26
Release assets produced by the updated workflow also include a deterministic SHA256 checksum manifest named `sbom-diff-and-risk-SHA256SUMS.txt`. The manifest is written with filenames sorted in a stable order. It is not a separate provenance system; it is a local byte-integrity check that helps reviewers confirm downloaded wheel and source distribution files match the hashes published with the same GitHub Release.
0 commit comments