stacknil · stacknil · May 9, 2026 · May 9, 2026
diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md
@@ -1,6 +1,11 @@
 # sbom-diff-and-risk
 
-v0.7.0 is the consumer integration usability release. It adds CI-facing documentation and checked-in examples for consuming `summary.json`, using local thresholds, and running `sbom-diff-risk` from a consumer GitHub Actions workflow. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
+v0.8.0 is the policy decision explainability release. It adds stable
+machine-readable explanation fields for JSON policy findings and reviewer
+documentation for interpreting local policy decisions. It keeps CLI analysis
+behavior unchanged, keeps dependency analysis local and deterministic by
+default, preserves the completed TestPyPI dry-run story, and keeps production
+PyPI publishing intentionally deferred.
 
 `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
 

diff --git a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md
@@ -11,10 +11,6 @@ reports and reviewer documentation. It keeps the dependency diff model,
 existing CLI flags, Markdown output behavior, SARIF output behavior, workflows,
 release tags, and publishing status unchanged.
 
-This file is a draft release note. Drafting this file does not bump the package
-version, create a tag, create a GitHub Release, publish to TestPyPI, or publish
-to production PyPI.
-
 ## Highlights
 
 - Added stable policy decision explanation fields to JSON policy findings.
@@ -85,10 +81,12 @@ production PyPI Trusted Publishing provenance answer different trust questions.
 
 ## Distribution status
 
-- The latest published GitHub Release remains `v0.7.0` until `v0.8.0` is
-  intentionally tagged and released.
-- This draft does not publish to TestPyPI.
-- This draft does not publish to production PyPI.
+- The `v0.8.0` GitHub Release is expected to be created from the tag-gated
+  release workflow.
+- Release assets are expected to include the wheel, source distribution, and
+  `sbom-diff-and-risk-SHA256SUMS.txt`.
+- This release does not publish to TestPyPI.
+- This release does not publish to production PyPI.
 - Production PyPI publishing remains intentionally deferred.
 - No production PyPI workflow is added.
 
@@ -98,8 +96,6 @@ production PyPI Trusted Publishing provenance answer different trust questions.
 - No Markdown output behavior changes.
 - No SARIF output behavior changes.
 - No workflow changes.
-- No package version bump in this draft PR.
-- No tag or GitHub Release in this draft PR.
 - No PyPI/TestPyPI publishing.
 - No production PyPI workflow.
 - No hidden network behavior.

diff --git a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.7.0",
-          "semanticVersion": "0.7.0",
+          "version": "0.8.0",
+          "semanticVersion": "0.8.0",
           "rules": [
             {
               "id": "sdr.policy_violation.provenance_required",

diff --git a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.7.0",
-          "semanticVersion": "0.7.0",
+          "version": "0.8.0",
+          "semanticVersion": "0.8.0",
           "rules": [
             {
               "id": "sdr.major_upgrade",

diff --git a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.7.0",
-          "semanticVersion": "0.7.0",
+          "version": "0.8.0",
+          "semanticVersion": "0.8.0",
           "rules": [
             {
               "id": "sdr.policy_violation.scorecard_below_threshold",

diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sbom-diff-and-risk"
-version = "0.7.0"
+version = "0.8.0"
 description = "Deterministic SBOM diff CLI with heuristic risk reporting."
 readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
 requires-python = ">=3.11"

diff --git a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.7.0"
+__version__ = "0.8.0"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		__all__ = ["__version__"]

		__version__ = "0.7.0"
		__version__ = "0.8.0"