Skip to content

Commit a730ffe

Browse files
authored
[codex] Draft sbom-diff-and-risk v0.6.0 release notes
Draft sbom-diff-and-risk v0.6.0 release notes for machine-readable report consumption and summary-output usability. This is release-notes only: no version bump, tag, GitHub Release, PyPI/TestPyPI publishing, runtime change, workflow change, or production PyPI workflow.
1 parent 05dc646 commit a730ffe

1 file changed

Lines changed: 72 additions & 0 deletions

File tree

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
# sbom-diff-and-risk v0.6.0 draft release notes
2+
3+
These are draft release notes for the planned `v0.6.0` release. This PR does not tag or publish `v0.6.0`, does not create a GitHub Release, and does not publish to PyPI or TestPyPI.
4+
5+
## Theme
6+
7+
Machine-readable report consumption and summary-output usability.
8+
9+
`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, package version, or publishing status.
10+
11+
## Highlights
12+
13+
- Added a stable, compact JSON `summary` contract for machine-readable report consumers.
14+
- Documented the JSON report schema in [docs/report-schema.md](docs/report-schema.md).
15+
- Added optional `--summary-json PATH` output for consumers that only need the stable summary object.
16+
- Preserved the existing `--out-json` report shape and behavior.
17+
- Kept production PyPI intentionally deferred.
18+
19+
## Machine-readable output changes
20+
21+
- `report.json["summary"]` is the stable compact entry point for automation.
22+
- `--summary-json PATH` writes only the same stable object as `report.json["summary"]`.
23+
- The base summary remains count-only:
24+
- `added`
25+
- `removed`
26+
- `changed`
27+
- `risk_counts`
28+
- `summary.policy` appears only when policy is applied.
29+
- `summary.enrichment` appears only when PyPI or Scorecard enrichment is used.
30+
- `unchanged` remains absent because unchanged components are not modeled.
31+
- Existing `--out-json` behavior is unchanged.
32+
33+
## JSON schema / compatibility notes
34+
35+
- JSON reports remain the primary machine-readable report format.
36+
- The schema is conservative and additive where possible.
37+
- Golden JSON samples and tests cover important output-shape expectations.
38+
- Absence of `summary.policy` means policy was not applied, not that policy failed.
39+
- Absence of `summary.enrichment` means PyPI and Scorecard enrichment were not used, not that enrichment failed.
40+
- `--summary-json PATH` does not introduce a second summary schema; it reuses the same summary rendering path as the full JSON report.
41+
42+
## Verification and evidence surfaces
43+
44+
- JSON schema documentation: [docs/report-schema.md](docs/report-schema.md).
45+
- Reviewer evidence pack: [docs/reviewer-evidence-pack.md](docs/reviewer-evidence-pack.md).
46+
- Verification guide: [docs/verification.md](docs/verification.md).
47+
- Release provenance guide: [docs/release-provenance.md](docs/release-provenance.md).
48+
- TestPyPI Trusted Publishing readiness: [docs/pypi-trusted-publishing-readiness.md](docs/pypi-trusted-publishing-readiness.md).
49+
- Production PyPI decision gate: [docs/pypi-production-publishing-decision.md](docs/pypi-production-publishing-decision.md).
50+
51+
These surfaces remain distinct: GitHub workflow artifact attestations, GitHub Release asset verification, TestPyPI Trusted Publishing validation, and future production PyPI Trusted Publishing provenance answer different trust questions.
52+
53+
## Distribution status
54+
55+
- Latest GitHub Release remains `v0.5.1` until a future release PR creates the `v0.6.0` tag and release.
56+
- This PR does not tag or publish `v0.6.0`.
57+
- This PR does not create a GitHub Release.
58+
- This PR does not publish to TestPyPI.
59+
- This PR does not publish to production PyPI.
60+
- Production PyPI remains intentionally deferred.
61+
62+
## Not in this release
63+
64+
- No Markdown output behavior changed.
65+
- No SARIF behavior changed.
66+
- No workflow behavior changed.
67+
- No package version bump is included in this draft-notes PR.
68+
- No production PyPI workflow is added.
69+
- No hidden network behavior was added.
70+
- No CVE lookup or CVE resolution was added.
71+
- No dependency safety verdicts were added.
72+
- No dependency analysis behavior changed.

0 commit comments

Comments
 (0)