You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/release-provenance.md
+18-12Lines changed: 18 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,30 +11,36 @@ This page is only about the `sbom-diff-and-risk` tool's own GitHub Releases. If
11
11
12
12
## v1.0 release policy
13
13
14
-
Chosen policy: publish `v1.0.0`as the stable GitHub Release contract while
15
-
keeping production PyPI publishing deferred.
14
+
`v1.0.0`is the stable GitHub Release contract and is marked GitHub Latest.
15
+
Production PyPI publishing remains deferred as a separate contract.
16
16
17
17
For `v1.0.0`, stability applies to the CLI, report schemas, policy decision
18
18
examples, evidence-confidence labels, reviewer case, and GitHub Release asset
19
-
verification path. It does not claim production PyPI availability. Until the
20
-
final tag is explicitly approved and created, `v1.0-rc.1` remains the current
21
-
published release candidate.
19
+
verification path. It does not claim production PyPI availability.
22
20
23
21
The tag workflow marks rc tags as prereleases and not Latest. It explicitly
24
-
marks a final tag such as `v1.0.0` as GitHub Latest.
22
+
marks final tags such as `v1.0.0` as GitHub Latest.
25
23
26
24
Release assets produced by the updated workflow also include a deterministic SHA256 checksum manifest named `sbom-diff-and-risk-SHA256SUMS.txt`. The manifest is written with filenames sorted in a stable order. It is not a separate provenance system; it is a local byte-integrity check that helps reviewers confirm downloaded wheel and source distribution files match the hashes published with the same GitHub Release.
27
25
26
+
For repeat builds of the same commit, the workflow sets `SOURCE_DATE_EPOCH` to
27
+
the tagged commit timestamp. It also normalizes gzip and tar timestamps in the
28
+
source distribution before checksums and attestations are generated. This
29
+
removes build-clock variance from the wheel and source distribution while
30
+
preserving package contents.
31
+
28
32
## What the release workflow now does
29
33
30
34
For version tags matching `v*`, the `sbom-diff-and-risk-ci` workflow:
31
35
32
-
1. builds the wheel and source distribution in `build-and-attest`
33
-
2. generates `dist/sbom-diff-and-risk-SHA256SUMS.txt` with SHA256 hashes for the built `.whl` and `.tar.gz`
34
-
3. uploads the distributions and checksum manifest as the workflow artifact `sbom-diff-and-risk-dist`
35
-
4. generates a workflow artifact attestation for the built distribution files
36
-
5. downloads that same workflow artifact in `publish-release-assets`
37
-
6. publishes those exact `.whl` and `.tar.gz` files plus the checksum manifest as GitHub Release assets for the matching tag
36
+
1. sets `SOURCE_DATE_EPOCH` from the tagged commit timestamp
37
+
2. builds the wheel and source distribution in `build-and-attest`
38
+
3. normalizes source-distribution gzip and tar timestamps
39
+
4. generates `dist/sbom-diff-and-risk-SHA256SUMS.txt` with SHA256 hashes for the built `.whl` and `.tar.gz`
40
+
5. uploads the distributions and checksum manifest as the workflow artifact `sbom-diff-and-risk-dist`
41
+
6. generates a workflow artifact attestation for the built distribution files
42
+
7. downloads that same workflow artifact in `publish-release-assets`
43
+
8. publishes those exact `.whl` and `.tar.gz` files plus the checksum manifest as GitHub Release assets for the matching tag
38
44
39
45
This intentionally reuses the same workflow-built bytes for both the workflow artifact and the release asset surfaces. It does not add PyPI publishing or a separate rebuild-only release pipeline.
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/reviewer-brief.md
+1-4Lines changed: 1 addition & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,7 @@
4
4
5
5
`sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring.
6
6
7
-
Current released version: `v1.0-rc.1` release candidate.
8
-
9
-
Main is the `v1.0.0` final candidate. The chosen release policy is a stable
10
-
GitHub final release while production PyPI remains deferred.
7
+
Current stable GitHub release: `v1.0.0`. Production PyPI remains deferred.
Copy file name to clipboardExpand all lines: tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md
+11-11Lines changed: 11 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ workflow templates.
14
14
15
15
`sbom-diff-and-risk` is a local-first deterministic CLI for comparing SBOMs and dependency manifests. It is designed to produce stable review evidence for dependency changes.
16
16
17
-
Current released version: `v1.0-rc.1` release candidate.
17
+
Current stable GitHub release: `v1.0.0`.
18
18
19
19
Core identity:
20
20
@@ -149,22 +149,22 @@ For CI dashboard, job-summary, and local-threshold examples that consume
149
149
150
150
## Release Verification Path
151
151
152
-
Start with the GitHub Release for the version under review. For `v1.0-rc.1`,
152
+
Start with the GitHub Release for the version under review. For `v1.0.0`,
0 commit comments