Skip to content

[codex] Release sbom-diff-and-risk v0.8.0#47

Merged
stacknil merged 1 commit intomainfrom
codex/release-sbom-diff-risk-v080
May 9, 2026
Merged

[codex] Release sbom-diff-and-risk v0.8.0#47
stacknil merged 1 commit intomainfrom
codex/release-sbom-diff-risk-v080

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented May 9, 2026

Brief Design Summary

This PR prepares the sbom-diff-and-risk v0.8.0 GitHub Release.

The release theme is policy decision explainability for machine-readable JSON reports. It aligns package metadata, runtime version, SARIF sample metadata, README release narrative, and release notes with 0.8.0.

This PR does not change runtime behavior. It does not add production PyPI publishing, does not modify workflows, and does not publish to PyPI/TestPyPI.

Files Changed

  • tools/sbom-diff-and-risk/pyproject.toml
  • tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
  • tools/sbom-diff-and-risk/README.md
  • tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md
  • tools/sbom-diff-and-risk/examples/sample-sarif.sarif
  • tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
  • tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Validation

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

  • python -m pytest: 157 passed
  • build produced sbom_diff_and_risk-0.8.0.tar.gz
  • build produced sbom_diff_and_risk-0.8.0-py3-none-any.whl
  • twine check: passed for wheel and sdist
  • git diff --check: passed
  • package metadata version is 0.8.0
  • runtime __version__ is 0.8.0
  • SARIF sample tool metadata is 0.8.0
  • no production PyPI workflow exists
  • production PyPI remains intentionally deferred

Release Steps After Merge

git checkout main
git pull --ff-only
git tag v0.8.0
git push origin v0.8.0

Then verify the tag-gated workflow:

  • test: success
  • build-and-attest: success
  • publish-release-assets: success
  • GitHub Release v0.8.0 exists
  • release assets include wheel, sdist, and sbom-diff-and-risk-SHA256SUMS.txt
  • downloaded assets match SHA256SUMS
  • gh attestation verify succeeds for wheel/sdist if attestations are available
  • production PyPI remains absent/deferred

Out of Scope

  • No runtime behavior changes
  • No CLI behavior changes
  • No Markdown/SARIF behavior changes beyond version metadata
  • No workflow changes
  • No production PyPI workflow
  • No PyPI/TestPyPI publishing

@stacknil stacknil merged commit 68135e2 into main May 9, 2026
9 checks passed
@stacknil stacknil deleted the codex/release-sbom-diff-risk-v080 branch May 9, 2026 14:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stacknil