Skip to content

Commit 68135e2

Browse files
authored
[codex] Release sbom-diff-and-risk v0.8.0
Release metadata alignment for sbom-diff-and-risk v0.8.0. No runtime, workflow, production PyPI, or PyPI/TestPyPI publishing changes.
1 parent 7eda6d0 commit 68135e2

7 files changed

Lines changed: 20 additions & 19 deletions

File tree

tools/sbom-diff-and-risk/README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,11 @@
11
# sbom-diff-and-risk
22

3-
v0.7.0 is the consumer integration usability release. It adds CI-facing documentation and checked-in examples for consuming `summary.json`, using local thresholds, and running `sbom-diff-risk` from a consumer GitHub Actions workflow. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
3+
v0.8.0 is the policy decision explainability release. It adds stable
4+
machine-readable explanation fields for JSON policy findings and reviewer
5+
documentation for interpreting local policy decisions. It keeps CLI analysis
6+
behavior unchanged, keeps dependency analysis local and deterministic by
7+
default, preserves the completed TestPyPI dry-run story, and keeps production
8+
PyPI publishing intentionally deferred.
49

510
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
611

tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,6 @@ reports and reviewer documentation. It keeps the dependency diff model,
1111
existing CLI flags, Markdown output behavior, SARIF output behavior, workflows,
1212
release tags, and publishing status unchanged.
1313

14-
This file is a draft release note. Drafting this file does not bump the package
15-
version, create a tag, create a GitHub Release, publish to TestPyPI, or publish
16-
to production PyPI.
17-
1814
## Highlights
1915

2016
- Added stable policy decision explanation fields to JSON policy findings.
@@ -85,10 +81,12 @@ production PyPI Trusted Publishing provenance answer different trust questions.
8581

8682
## Distribution status
8783

88-
- The latest published GitHub Release remains `v0.7.0` until `v0.8.0` is
89-
intentionally tagged and released.
90-
- This draft does not publish to TestPyPI.
91-
- This draft does not publish to production PyPI.
84+
- The `v0.8.0` GitHub Release is expected to be created from the tag-gated
85+
release workflow.
86+
- Release assets are expected to include the wheel, source distribution, and
87+
`sbom-diff-and-risk-SHA256SUMS.txt`.
88+
- This release does not publish to TestPyPI.
89+
- This release does not publish to production PyPI.
9290
- Production PyPI publishing remains intentionally deferred.
9391
- No production PyPI workflow is added.
9492

@@ -98,8 +96,6 @@ production PyPI Trusted Publishing provenance answer different trust questions.
9896
- No Markdown output behavior changes.
9997
- No SARIF output behavior changes.
10098
- No workflow changes.
101-
- No package version bump in this draft PR.
102-
- No tag or GitHub Release in this draft PR.
10399
- No PyPI/TestPyPI publishing.
104100
- No production PyPI workflow.
105101
- No hidden network behavior.

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.7.0",
11-
"semanticVersion": "0.7.0",
10+
"version": "0.8.0",
11+
"semanticVersion": "0.8.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.7.0",
11-
"semanticVersion": "0.7.0",
10+
"version": "0.8.0",
11+
"semanticVersion": "0.8.0",
1212
"rules": [
1313
{
1414
"id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.7.0",
11-
"semanticVersion": "0.7.0",
10+
"version": "0.8.0",
11+
"semanticVersion": "0.8.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "sbom-diff-and-risk"
7-
version = "0.7.0"
7+
version = "0.8.0"
88
description = "Deterministic SBOM diff CLI with heuristic risk reporting."
99
readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
1010
requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22

33
__all__ = ["__version__"]
44

5-
__version__ = "0.7.0"
5+
__version__ = "0.8.0"

0 commit comments

Comments
 (0)