Skip to content

Commit dfcf8f9

Browse files
committed
chore(sbom): finalize v1.0.0 release
1 parent a12b680 commit dfcf8f9

13 files changed

Lines changed: 284 additions & 60 deletions

.github/workflows/sbom-diff-and-risk-ci.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,9 +92,16 @@ jobs:
9292
- name: Install build tooling
9393
run: python -m pip install build
9494

95+
- name: Set reproducible build epoch
96+
shell: bash
97+
run: echo "SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)" >> "${GITHUB_ENV}"
98+
9599
- name: Build distributable artifacts
96100
run: python -m build
97101

102+
- name: Normalize source distribution timestamps
103+
run: python scripts/normalize_sdist.py --epoch "${SOURCE_DATE_EPOCH}" dist/*.tar.gz
104+
98105
- name: Generate SHA256 checksum manifest
99106
shell: bash
100107
run: |

README.md

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,7 @@ Project:
8484
[`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md)
8585

8686
Status:
87-
Main is the `v1.0.0` final candidate. The currently published release remains
88-
`v1.0-rc.1` until the final tag is explicitly approved and created.
87+
Stable GitHub release: `v1.0.0`. Production PyPI publishing remains deferred.
8988

9089
What to review:
9190
Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy
@@ -99,7 +98,7 @@ Useful entry points:
9998
- [Reviewer path](tools/sbom-diff-and-risk/docs/reviewer-path.md)
10099
- [Reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md)
101100
- [Reviewer evidence pack](tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md)
102-
- [v1.0.0 release notes draft][release-notes-v100]
101+
- [v1.0.0 release notes][release-notes-v100]
103102
- [v1.0-rc.1 release notes][release-notes-v10rc1]
104103
- [Examples](tools/sbom-diff-and-risk/examples/)
105104

@@ -226,11 +225,10 @@ the review question:
226225

227226
## Status
228227

229-
- Current published flagship release candidate: `sbom-diff-and-risk` `v1.0-rc.1`
230-
- GitHub Release assets: available for `v1.0-rc.1`
231-
- GitHub Latest may still show `v0.9.0` because `v1.0-rc.1` is a release candidate.
232-
- Next release policy: GitHub `v1.0.0` final, with production PyPI still deferred
233-
- Main package metadata: `1.0.0` final candidate
228+
- Current stable flagship release: `sbom-diff-and-risk` `v1.0.0`
229+
- GitHub Release assets: available for `v1.0.0`
230+
- GitHub Latest: `v1.0.0`
231+
- Package metadata: `1.0.0`
234232
- TestPyPI Trusted Publishing dry-run: completed
235233
- Production PyPI publishing: intentionally deferred
236234

scripts/validate-reviewer-routes.py

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -176,7 +176,8 @@
176176
"not a package safety verdict engine",
177177
"not part of the `sbom-diff-and-risk` release surface",
178178
"why the scientific-computing background helps",
179-
"GitHub Latest may still show `v0.9.0` because `v1.0-rc.1` is a release candidate.",
179+
"Current stable flagship release: `sbom-diff-and-risk` `v1.0.0`",
180+
"GitHub Latest: `v1.0.0`",
180181
"Production PyPI publishing: intentionally deferred",
181182
),
182183
Path("docs/reviewer-brief.md"): (
@@ -266,9 +267,9 @@
266267
"any malware verdict",
267268
),
268269
Path("tools/sbom-diff-and-risk/docs/release-provenance.md"): (
269-
"publish `v1.0.0` as the stable GitHub Release contract",
270-
"production PyPI publishing deferred",
271-
"marks a final tag such as `v1.0.0` as GitHub Latest",
270+
"`v1.0.0` is the stable GitHub Release contract and is marked GitHub Latest",
271+
"Production PyPI publishing remains deferred as a separate contract",
272+
"marks final tags such as `v1.0.0` as GitHub Latest",
272273
"workflow artifact attestation",
273274
),
274275
Path("tools/sbom-diff-and-risk/docs/reviewer-path.md"): (
@@ -287,7 +288,8 @@
287288
"runs the tool, uploads `policy.json`, and fails or passes from the policy exit code",
288289
"not current PyPI package truth",
289290
"not current repository reputation",
290-
"GitHub Latest may still show `v0.9.0` because `v1.0-rc.1` is a release candidate.",
291+
"`v1.0.0` is the stable GitHub release and GitHub Latest",
292+
"`v1.0-rc.1` remains historical prerelease evidence",
291293
"It does not decide whether a dependency is safe.",
292294
),
293295
Path("projects/precipitation-anomaly-diagnostics/docs/reviewer-path.md"): (

tools/sbom-diff-and-risk/README.md

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,8 @@
11
# sbom-diff-and-risk
22

3-
Main is the `v1.0.0` Policy Evidence final candidate. The currently published
4-
release remains `v1.0-rc.1` until the final tag is explicitly approved and
5-
created. The selected release policy is a stable GitHub `v1.0.0` release while
6-
production PyPI publishing remains intentionally deferred.
3+
`v1.0.0` is the stable Policy Evidence GitHub release. GitHub Release assets
4+
are the supported distribution surface for this version, while production
5+
PyPI publishing remains intentionally deferred.
76

87
`sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
98

tools/sbom-diff-and-risk/RELEASE_NOTES_v1.0.0.md

Lines changed: 18 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -31,22 +31,34 @@ A stable, bounded release surface for dependency diff and local policy evidence.
3131
- The TestPyPI Trusted Publishing dry-run remains evidence of the test
3232
publishing path only.
3333

34-
## Compatibility and boundaries
34+
## v1.0-rc.1 to v1.0.0 compatibility
35+
36+
- The CLI commands and flags are unchanged from `v1.0-rc.1`.
37+
- The package version moves from PEP 440 `1.0rc1` to `1.0.0`.
38+
- JSON and Markdown report structure remains compatible, except that the rc
39+
evidence label `enrichment_recorded` is replaced by the more specific
40+
`scorecard_recorded` value. Consumers matching the old string must update.
41+
- SARIF remains a conservative subset. The final release additively records
42+
`policy_matched`, `policy_level`, and `policy_rule_id` on direct mapped
43+
findings, and emits `sdr.new_package` only when `new_package` matched policy.
44+
- Production PyPI publishing remains deferred; moving from rc to final changes
45+
the GitHub Release contract, not the PyPI publishing contract.
46+
47+
## Boundaries
3548

3649
- Default analysis remains local-file based and deterministic.
3750
- No default network enrichment was added.
3851
- No CVE lookup, advisory resolution, malware scanning, or package safety
3952
verdict was added.
4053
- Policy warnings and failures remain bounded local policy decisions.
41-
- `enrichment_recorded` was an rc label and is replaced by the more specific
42-
`scorecard_recorded` label in the final contract.
4354

4455
## Release evidence
4556

4657
The tag-gated GitHub Actions workflow builds the wheel and source distribution,
47-
generates a SHA256 checksum manifest, records workflow artifact attestations,
48-
and publishes the same built files as GitHub Release assets. Final tags are
49-
explicitly marked as GitHub Latest; rc tags remain prereleases.
58+
normalizes build timestamps from the tagged commit time, generates a SHA256
59+
checksum manifest, records workflow artifact attestations, and publishes the
60+
same built files as GitHub Release assets. Final tags are explicitly marked as
61+
GitHub Latest; rc tags remain prereleases.
5062

5163
Expected assets:
5264

tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,7 @@ Production PyPI publishing is intentionally deferred, so consumers should not
1212
install `sbom-diff-and-risk` from production PyPI. Use a GitHub Release asset or
1313
a local checkout instead.
1414

15-
The checked-in workflow pins the selected stable contract, `v1.0.0`. Before
16-
that final release is published, use the currently available `v1.0-rc.1`
17-
release asset instead.
15+
The checked-in workflow pins the stable GitHub Release contract, `v1.0.0`.
1816

1917
## Minimal policy workflow
2018

tools/sbom-diff-and-risk/docs/release-provenance.md

Lines changed: 18 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,30 +11,36 @@ This page is only about the `sbom-diff-and-risk` tool's own GitHub Releases. If
1111

1212
## v1.0 release policy
1313

14-
Chosen policy: publish `v1.0.0` as the stable GitHub Release contract while
15-
keeping production PyPI publishing deferred.
14+
`v1.0.0` is the stable GitHub Release contract and is marked GitHub Latest.
15+
Production PyPI publishing remains deferred as a separate contract.
1616

1717
For `v1.0.0`, stability applies to the CLI, report schemas, policy decision
1818
examples, evidence-confidence labels, reviewer case, and GitHub Release asset
19-
verification path. It does not claim production PyPI availability. Until the
20-
final tag is explicitly approved and created, `v1.0-rc.1` remains the current
21-
published release candidate.
19+
verification path. It does not claim production PyPI availability.
2220

2321
The tag workflow marks rc tags as prereleases and not Latest. It explicitly
24-
marks a final tag such as `v1.0.0` as GitHub Latest.
22+
marks final tags such as `v1.0.0` as GitHub Latest.
2523

2624
Release assets produced by the updated workflow also include a deterministic SHA256 checksum manifest named `sbom-diff-and-risk-SHA256SUMS.txt`. The manifest is written with filenames sorted in a stable order. It is not a separate provenance system; it is a local byte-integrity check that helps reviewers confirm downloaded wheel and source distribution files match the hashes published with the same GitHub Release.
2725

26+
For repeat builds of the same commit, the workflow sets `SOURCE_DATE_EPOCH` to
27+
the tagged commit timestamp. It also normalizes gzip and tar timestamps in the
28+
source distribution before checksums and attestations are generated. This
29+
removes build-clock variance from the wheel and source distribution while
30+
preserving package contents.
31+
2832
## What the release workflow now does
2933

3034
For version tags matching `v*`, the `sbom-diff-and-risk-ci` workflow:
3135

32-
1. builds the wheel and source distribution in `build-and-attest`
33-
2. generates `dist/sbom-diff-and-risk-SHA256SUMS.txt` with SHA256 hashes for the built `.whl` and `.tar.gz`
34-
3. uploads the distributions and checksum manifest as the workflow artifact `sbom-diff-and-risk-dist`
35-
4. generates a workflow artifact attestation for the built distribution files
36-
5. downloads that same workflow artifact in `publish-release-assets`
37-
6. publishes those exact `.whl` and `.tar.gz` files plus the checksum manifest as GitHub Release assets for the matching tag
36+
1. sets `SOURCE_DATE_EPOCH` from the tagged commit timestamp
37+
2. builds the wheel and source distribution in `build-and-attest`
38+
3. normalizes source-distribution gzip and tar timestamps
39+
4. generates `dist/sbom-diff-and-risk-SHA256SUMS.txt` with SHA256 hashes for the built `.whl` and `.tar.gz`
40+
5. uploads the distributions and checksum manifest as the workflow artifact `sbom-diff-and-risk-dist`
41+
6. generates a workflow artifact attestation for the built distribution files
42+
7. downloads that same workflow artifact in `publish-release-assets`
43+
8. publishes those exact `.whl` and `.tar.gz` files plus the checksum manifest as GitHub Release assets for the matching tag
3844

3945
This intentionally reuses the same workflow-built bytes for both the workflow artifact and the release asset surfaces. It does not add PyPI publishing or a separate rebuild-only release pipeline.
4046

tools/sbom-diff-and-risk/docs/reviewer-brief.md

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,7 @@
44

55
`sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
66

7-
Current released version: `v1.0-rc.1` release candidate.
8-
9-
Main is the `v1.0.0` final candidate. The chosen release policy is a stable
10-
GitHub final release while production PyPI remains deferred.
7+
Current stable GitHub release: `v1.0.0`. Production PyPI remains deferred.
118

129
For the shortest ordered review route, use
1310
[reviewer-path.md](reviewer-path.md).

tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ workflow templates.
1414

1515
`sbom-diff-and-risk` is a local-first deterministic CLI for comparing SBOMs and dependency manifests. It is designed to produce stable review evidence for dependency changes.
1616

17-
Current released version: `v1.0-rc.1` release candidate.
17+
Current stable GitHub release: `v1.0.0`.
1818

1919
Core identity:
2020

@@ -149,22 +149,22 @@ For CI dashboard, job-summary, and local-threshold examples that consume
149149

150150
## Release Verification Path
151151

152-
Start with the GitHub Release for the version under review. For `v1.0-rc.1`,
152+
Start with the GitHub Release for the version under review. For `v1.0.0`,
153153
inspect the release and assets:
154154

155155
```powershell
156-
gh release view v1.0-rc.1 `
156+
gh release view v1.0.0 `
157157
--repo stacknil/scientific-computing-toolkit `
158158
--json tagName,name,isDraft,isPrerelease,assets,url
159159
```
160160

161161
Expected release assets:
162162

163-
- `sbom_diff_and_risk-1.0rc1-py3-none-any.whl`
164-
- `sbom_diff_and_risk-1.0rc1.tar.gz`
163+
- `sbom_diff_and_risk-1.0.0-py3-none-any.whl`
164+
- `sbom_diff_and_risk-1.0.0.tar.gz`
165165
- `sbom-diff-and-risk-SHA256SUMS.txt`
166166

167-
For this rc, `isPrerelease` should be `true`.
167+
For this stable release, `isPrerelease` should be `false`.
168168

169169
The checksum manifest checks local downloaded distribution bytes before or alongside provenance verification:
170170

@@ -194,13 +194,13 @@ For workflow-built artifacts downloaded from a trusted workflow run, verify
194194
artifact attestations with the signer workflow:
195195

196196
```powershell
197-
gh attestation verify path/to/sbom_diff_and_risk-1.0rc1-py3-none-any.whl `
197+
gh attestation verify path/to/sbom_diff_and_risk-1.0.0-py3-none-any.whl `
198198
--repo stacknil/scientific-computing-toolkit `
199199
--signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml
200200
```
201201

202202
```powershell
203-
gh attestation verify path/to/sbom_diff_and_risk-1.0rc1.tar.gz `
203+
gh attestation verify path/to/sbom_diff_and_risk-1.0.0.tar.gz `
204204
--repo stacknil/scientific-computing-toolkit `
205205
--signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml
206206
```
@@ -210,15 +210,15 @@ releases. Use them only when the repository release is immutable and GitHub has
210210
generated release attestations:
211211

212212
```powershell
213-
gh release view v1.0-rc.1 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url
213+
gh release view v1.0.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url
214214
```
215215

216216
If `isImmutable` is true, release verification can check the release record and
217217
downloaded release assets:
218218

219219
```powershell
220-
gh release verify v1.0-rc.1 --repo stacknil/scientific-computing-toolkit
221-
gh release verify-asset v1.0-rc.1 path/to/sbom_diff_and_risk-1.0rc1-py3-none-any.whl --repo stacknil/scientific-computing-toolkit
220+
gh release verify v1.0.0 --repo stacknil/scientific-computing-toolkit
221+
gh release verify-asset v1.0.0 path/to/sbom_diff_and_risk-1.0.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit
222222
```
223223

224224
If `isImmutable` is false, use the workflow artifact attestation path as the primary artifact verification story.

tools/sbom-diff-and-risk/docs/reviewer-path.md

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -199,13 +199,9 @@ Use this section only when the review question is about the released
199199
`sbom-diff-and-risk` tool artifacts. It is not the path for judging third-party
200200
dependency safety.
201201

202-
Release status note: GitHub Latest may still show `v0.9.0` because
203-
`v1.0-rc.1` is a release candidate. Reviewers checking the current release
204-
candidate should open the explicit `v1.0-rc.1` release page.
205-
206-
Main is prepared as the `v1.0.0` final candidate. The selected policy is a
207-
stable GitHub final release with production PyPI still deferred; this is not a
208-
claim that the final tag already exists.
202+
Release status: `v1.0.0` is the stable GitHub release and GitHub Latest.
203+
`v1.0-rc.1` remains historical prerelease evidence. Production PyPI publishing
204+
is still deferred as a separate contract.
209205

210206
| Evidence surface | Use when | Read |
211207
| --- | --- | --- |

0 commit comments

Comments
 (0)