Skip to content

Commit 71e809e

Browse files
committed
[codex] Release sbom-diff-and-risk v0.4.0
1 parent 02b0bb4 commit 71e809e

8 files changed

Lines changed: 39 additions & 12 deletions

File tree

tools/sbom-diff-and-risk/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# sbom-diff-and-risk
22

3-
v0.4 keeps dependency analysis local and deterministic by default while improving how consumers verify `sbom-diff-and-risk` itself through workflow-built artifacts and GitHub Release assets.
3+
v0.4.0 focuses on release/distribution provenance hardening while keeping dependency analysis local and deterministic by default. It clarifies how consumers verify `sbom-diff-and-risk` itself through workflow-built artifacts and GitHub Release assets, and it documents PyPI Trusted Publishing readiness without enabling PyPI publishing yet.
44

55
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
66

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
# v0.4.0
2+
3+
Theme: release/distribution provenance hardening
4+
5+
## Highlights
6+
7+
- Clarified the GitHub-hosted provenance story for `sbom-diff-and-risk` workflow-built artifacts and GitHub Release assets.
8+
- Kept workflow artifact attestation and GitHub Release verification as explicit, separate consumer verification surfaces.
9+
- Documented PyPI Trusted Publishing readiness and sequencing, while intentionally not enabling PyPI publishing yet.
10+
11+
## Verification story
12+
13+
- Workflow-built wheel and source distribution artifacts remain verifiable through `gh attestation verify`.
14+
- Version-tag releases can publish those same built files as GitHub Release assets, with consumer guidance for `gh release verify` and `gh release verify-asset`.
15+
- Verification docs now point users more directly to the right path depending on whether they want to verify the tool itself or analyze third-party dependency provenance with the tool.
16+
17+
## Packaging and release alignment
18+
19+
- Bumped the package version to `0.4.0`.
20+
- Synced the README top-level version narrative with the `v0.4.0` release hardening theme.
21+
- Updated example SARIF outputs and PyPI readiness notes to reference the `0.4.0` package line consistently.
22+
23+
## Not in this release
24+
25+
- No PyPI publishing is enabled yet.
26+
- No new CLI analysis features were added.
27+
- Default CLI behavior remains local and deterministic, with no hidden network access.

tools/sbom-diff-and-risk/docs/pypi-trusted-publishing-readiness.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,8 @@ The main blockers are packaging and release-readiness concerns, not OIDC support
3232
That includes either:
3333
- a pending publisher for a new `sbom-diff-and-risk` project, or
3434
- a trusted publisher entry on an existing PyPI project
35-
4. The first PyPI release version and release sequencing have not been pinned down yet.
36-
The repository currently builds version `0.3.0`, while the repository work is now in the `v0.4` release-hardening theme.
35+
4. PyPI release sequencing is still intentionally deferred.
36+
The repository now builds version `0.4.0` and has GitHub-hosted release hardening in place, but PyPI publishing is still not enabled in this repository flow.
3737

3838
Because of those gaps, enabling a publish job now would create a fragile or misleading path.
3939

@@ -78,7 +78,7 @@ python -m twine check $files
7878
7979
### 2. Decide the first PyPI-published version and release sequence
8080
81-
- Decide whether the first PyPI upload should be `0.3.0`, `0.4.0`, or a later release.
81+
- Decide whether the first PyPI upload should be `0.4.0` or a later release.
8282
- Ensure the tag, package version, release notes, GitHub Release assets, and PyPI upload plan all refer to the same version.
8383
8484
### 3. Configure PyPI-side Trusted Publishing

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.3.0",
11-
"semanticVersion": "0.3.0",
10+
"version": "0.4.0",
11+
"semanticVersion": "0.4.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.3.0",
11-
"semanticVersion": "0.3.0",
10+
"version": "0.4.0",
11+
"semanticVersion": "0.4.0",
1212
"rules": [
1313
{
1414
"id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@
77
"driver": {
88
"name": "sbom-diff-risk",
99
"fullName": "sbom-diff-risk",
10-
"version": "0.3.0",
11-
"semanticVersion": "0.3.0",
10+
"version": "0.4.0",
11+
"semanticVersion": "0.4.0",
1212
"rules": [
1313
{
1414
"id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
44

55
[project]
66
name = "sbom-diff-and-risk"
7-
version = "0.3.0"
7+
version = "0.4.0"
88
description = "Local, deterministic SBOM diff and heuristic risk reporting."
99
readme = "README.md"
1010
requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22

33
__all__ = ["__version__"]
44

5-
__version__ = "0.3.0"
5+
__version__ = "0.4.0"

0 commit comments

Comments
 (0)