|
| 1 | +# sbom-diff-and-risk v0.6.0 draft release notes |
| 2 | + |
| 3 | +These are draft release notes for the planned `v0.6.0` release. This PR does not tag or publish `v0.6.0`, does not create a GitHub Release, and does not publish to PyPI or TestPyPI. |
| 4 | + |
| 5 | +## Theme |
| 6 | + |
| 7 | +Machine-readable report consumption and summary-output usability. |
| 8 | + |
| 9 | +`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, package version, or publishing status. |
| 10 | + |
| 11 | +## Highlights |
| 12 | + |
| 13 | +- Added a stable, compact JSON `summary` contract for machine-readable report consumers. |
| 14 | +- Documented the JSON report schema in [docs/report-schema.md](docs/report-schema.md). |
| 15 | +- Added optional `--summary-json PATH` output for consumers that only need the stable summary object. |
| 16 | +- Preserved the existing `--out-json` report shape and behavior. |
| 17 | +- Kept production PyPI intentionally deferred. |
| 18 | + |
| 19 | +## Machine-readable output changes |
| 20 | + |
| 21 | +- `report.json["summary"]` is the stable compact entry point for automation. |
| 22 | +- `--summary-json PATH` writes only the same stable object as `report.json["summary"]`. |
| 23 | +- The base summary remains count-only: |
| 24 | + - `added` |
| 25 | + - `removed` |
| 26 | + - `changed` |
| 27 | + - `risk_counts` |
| 28 | +- `summary.policy` appears only when policy is applied. |
| 29 | +- `summary.enrichment` appears only when PyPI or Scorecard enrichment is used. |
| 30 | +- `unchanged` remains absent because unchanged components are not modeled. |
| 31 | +- Existing `--out-json` behavior is unchanged. |
| 32 | + |
| 33 | +## JSON schema / compatibility notes |
| 34 | + |
| 35 | +- JSON reports remain the primary machine-readable report format. |
| 36 | +- The schema is conservative and additive where possible. |
| 37 | +- Golden JSON samples and tests cover important output-shape expectations. |
| 38 | +- Absence of `summary.policy` means policy was not applied, not that policy failed. |
| 39 | +- Absence of `summary.enrichment` means PyPI and Scorecard enrichment were not used, not that enrichment failed. |
| 40 | +- `--summary-json PATH` does not introduce a second summary schema; it reuses the same summary rendering path as the full JSON report. |
| 41 | + |
| 42 | +## Verification and evidence surfaces |
| 43 | + |
| 44 | +- JSON schema documentation: [docs/report-schema.md](docs/report-schema.md). |
| 45 | +- Reviewer evidence pack: [docs/reviewer-evidence-pack.md](docs/reviewer-evidence-pack.md). |
| 46 | +- Verification guide: [docs/verification.md](docs/verification.md). |
| 47 | +- Release provenance guide: [docs/release-provenance.md](docs/release-provenance.md). |
| 48 | +- TestPyPI Trusted Publishing readiness: [docs/pypi-trusted-publishing-readiness.md](docs/pypi-trusted-publishing-readiness.md). |
| 49 | +- Production PyPI decision gate: [docs/pypi-production-publishing-decision.md](docs/pypi-production-publishing-decision.md). |
| 50 | + |
| 51 | +These surfaces remain distinct: GitHub workflow artifact attestations, GitHub Release asset verification, TestPyPI Trusted Publishing validation, and future production PyPI Trusted Publishing provenance answer different trust questions. |
| 52 | + |
| 53 | +## Distribution status |
| 54 | + |
| 55 | +- Latest GitHub Release remains `v0.5.1` until a future release PR creates the `v0.6.0` tag and release. |
| 56 | +- This PR does not tag or publish `v0.6.0`. |
| 57 | +- This PR does not create a GitHub Release. |
| 58 | +- This PR does not publish to TestPyPI. |
| 59 | +- This PR does not publish to production PyPI. |
| 60 | +- Production PyPI remains intentionally deferred. |
| 61 | + |
| 62 | +## Not in this release |
| 63 | + |
| 64 | +- No Markdown output behavior changed. |
| 65 | +- No SARIF behavior changed. |
| 66 | +- No workflow behavior changed. |
| 67 | +- No package version bump is included in this draft-notes PR. |
| 68 | +- No production PyPI workflow is added. |
| 69 | +- No hidden network behavior was added. |
| 70 | +- No CVE lookup or CVE resolution was added. |
| 71 | +- No dependency safety verdicts were added. |
| 72 | +- No dependency analysis behavior changed. |
0 commit comments