From 5ec792d62395c36dc12de32910a8eda4cd9894a8 Mon Sep 17 00:00:00 2001 From: stacknil Date: Mon, 4 May 2026 16:54:35 +0800 Subject: [PATCH] Release sbom-diff-and-risk v0.7.0 --- tools/sbom-diff-and-risk/README.md | 2 +- .../RELEASE_NOTES_v0.7.0.md | 35 ++++++++----------- .../examples/sample-provenance-report.sarif | 4 +-- .../examples/sample-sarif.sarif | 4 +-- .../examples/sample-scorecard-report.sarif | 4 +-- tools/sbom-diff-and-risk/pyproject.toml | 2 +- .../src/sbom_diff_risk/__init__.py | 2 +- 7 files changed, 24 insertions(+), 29 deletions(-) diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md index b81cd2d..9a4ea3e 100644 --- a/tools/sbom-diff-and-risk/README.md +++ b/tools/sbom-diff-and-risk/README.md @@ -1,6 +1,6 @@ # sbom-diff-and-risk -v0.6.0 is the machine-readable report consumption release. It documents the stable JSON `summary` contract, adds report schema guidance, and includes optional `--summary-json PATH` output for consumers that only need `report.json["summary"]`. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred. +v0.7.0 is the consumer integration usability release. It adds CI-facing documentation and checked-in examples for consuming `summary.json`, using local thresholds, and running `sbom-diff-risk` from a consumer GitHub Actions workflow. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred. `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports. diff --git a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md index a9ea991..70b1adf 100644 --- a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md +++ b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md @@ -1,20 +1,15 @@ # sbom-diff-and-risk v0.7.0 -Draft release notes for `v0.7.0`. - -Release notes file: `RELEASE_NOTES_v0.7.0.md`. - -This PR only drafts release notes. It does not bump package version, create a -tag, publish a GitHub Release, or publish to PyPI/TestPyPI. +`v0.7.0` is the consumer integration usability release. ## Theme Consumer integration usability. -`v0.7.0` focuses on consumer-facing examples and CI integration guidance for the -existing machine-readable summary output. It does not change the core dependency -diff model, CLI behavior, JSON report schema, Markdown output, SARIF output, -workflows, release tags, or publishing status. +`v0.7.0` focuses on consumer-facing examples and CI integration guidance for +the existing machine-readable summary output. It does not change the core +dependency diff model, CLI behavior, JSON report schema, Markdown output, +SARIF output, workflows, release tags, or publishing status. ## Highlights @@ -22,8 +17,8 @@ workflows, release tags, or publishing status. [docs/summary-json-ci-cookbook.md](docs/summary-json-ci-cookbook.md). - Added a checked-in summary-only example artifact at [examples/sample-summary.json](examples/sample-summary.json). -- Added a consumer-facing GitHub Actions example in - [docs/github-actions-consumer-example.md](docs/github-actions-consumer-example.md). +- Added a consumer-facing GitHub Actions + [consumer example](docs/github-actions-consumer-example.md). - Documented explicit local thresholding with `summary.json`. - Documented a GitHub Release wheel installation path for consumer workflows. - Kept production PyPI intentionally deferred. @@ -45,8 +40,8 @@ and apply local thresholds chosen by the consuming repository. The GitHub Actions consumer example shows how another repository can install `sbom-diff-risk` from GitHub Release assets instead of production PyPI, run -`compare`, write JSON, Markdown, summary JSON, and SARIF outputs, and upload the -generated files as CI artifacts. +`compare`, write JSON, Markdown, summary JSON, and SARIF outputs, and upload +the generated files as CI artifacts. `summary.json` thresholding is a local consumer policy choice. It is not a built-in dependency safety verdict. @@ -67,10 +62,12 @@ built-in dependency safety verdict. ## Distribution status -- The latest published GitHub Release before this draft is `v0.6.0`. -- This PR does not tag or publish `v0.7.0`. -- This PR does not publish to TestPyPI. -- This PR does not publish to production PyPI. +- The `v0.7.0` GitHub Release is expected to be created from the tag-gated + release workflow. +- Release assets are expected to include the wheel, source distribution, and + `sbom-diff-and-risk-SHA256SUMS.txt`. +- This release does not publish to TestPyPI. +- This release does not publish to production PyPI. - Production PyPI publishing remains intentionally deferred. - The GitHub Actions consumer example installs from GitHub Release assets, not production PyPI. @@ -82,8 +79,6 @@ built-in dependency safety verdict. - No Markdown output behavior changes. - No SARIF output behavior changes. - No workflow changes. -- No package version bump. -- No release tag or GitHub Release creation in this PR. - No PyPI/TestPyPI publishing. - No production PyPI workflow. - No CVE lookup or CVE resolution. diff --git a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif index 73c2365..fed303c 100644 --- a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.6.0", - "semanticVersion": "0.6.0", + "version": "0.7.0", + "semanticVersion": "0.7.0", "rules": [ { "id": "sdr.policy_violation.provenance_required", diff --git a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif index 8821102..7b05db1 100644 --- a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.6.0", - "semanticVersion": "0.6.0", + "version": "0.7.0", + "semanticVersion": "0.7.0", "rules": [ { "id": "sdr.major_upgrade", diff --git a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif index 0dcff3b..20de686 100644 --- a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.6.0", - "semanticVersion": "0.6.0", + "version": "0.7.0", + "semanticVersion": "0.7.0", "rules": [ { "id": "sdr.policy_violation.scorecard_below_threshold", diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml index 1f4920f..bc0ca25 100644 --- a/tools/sbom-diff-and-risk/pyproject.toml +++ b/tools/sbom-diff-and-risk/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "sbom-diff-and-risk" -version = "0.6.0" +version = "0.7.0" description = "Deterministic SBOM diff CLI with heuristic risk reporting." readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" } requires-python = ">=3.11" diff --git a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py index d10344c..7154c3a 100644 --- a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py +++ b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py @@ -2,4 +2,4 @@ __all__ = ["__version__"] -__version__ = "0.6.0" +__version__ = "0.7.0"