diff --git a/README.md b/README.md index 68b0b95..d52917f 100644 --- a/README.md +++ b/README.md @@ -32,18 +32,19 @@ Project: [`sbom-diff-and-risk`](tools/sbom-diff-and-risk/README.md) Status: -Released at `v0.7.0`. +Released at `v0.8.0`. What to review: Deterministic SBOM/dependency diffing, JSON/Markdown/SARIF output, local policy -checks, optional provenance and Scorecard evidence. +checks, policy decision explainability, optional provenance and Scorecard +evidence. Useful entry points: - [`sbom-diff-and-risk` README](tools/sbom-diff-and-risk/README.md) - [Reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md) - [Reviewer evidence pack](tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md) -- [v0.7.0 release notes][release-notes-v070] +- [v0.8.0 release notes][release-notes-v080] - [Examples](tools/sbom-diff-and-risk/examples/) ## Verification and Release Evidence @@ -79,17 +80,17 @@ publishing is intentionally deferred. 1. Read the [`sbom-diff-and-risk` reviewer brief](tools/sbom-diff-and-risk/docs/reviewer-brief.md). 2. Skim the [`sbom-diff-and-risk` README](tools/sbom-diff-and-risk/README.md) for CLI scope and examples. -3. Check the [v0.7.0 release notes][release-notes-v070]. +3. Check the [v0.8.0 release notes][release-notes-v080]. 4. Use the [verification guide](tools/sbom-diff-and-risk/docs/verification.md) to choose the right provenance check. 5. Inspect the [examples](tools/sbom-diff-and-risk/examples/) for sample reports and policy files. ## Status -- Current flagship release: `sbom-diff-and-risk` `v0.7.0` -- GitHub Release assets: available for `v0.7.0` +- Current flagship release: `sbom-diff-and-risk` `v0.8.0` +- GitHub Release assets: available for `v0.8.0` - TestPyPI Trusted Publishing dry-run: completed - Production PyPI publishing: intentionally deferred -[release-notes-v070]: tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md +[release-notes-v080]: tools/sbom-diff-and-risk/RELEASE_NOTES_v0.8.0.md diff --git a/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md b/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md index 314af1b..6ac5604 100644 --- a/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md +++ b/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md @@ -50,15 +50,15 @@ jobs: GH_TOKEN: ${{ github.token }} run: | mkdir -p .tooling/sbom-diff-risk - gh release download v0.7.0 \ + gh release download v0.8.0 \ --repo stacknil/scientific-computing-toolkit \ - --pattern "sbom_diff_and_risk-0.7.0-py3-none-any.whl" \ + --pattern "sbom_diff_and_risk-0.8.0-py3-none-any.whl" \ --dir .tooling/sbom-diff-risk - name: Install sbom-diff-risk run: | python -m pip install \ - .tooling/sbom-diff-risk/sbom_diff_and_risk-0.7.0-py3-none-any.whl + .tooling/sbom-diff-risk/sbom_diff_and_risk-0.8.0-py3-none-any.whl - name: Compare dependency evidence run: | diff --git a/tools/sbom-diff-and-risk/docs/reviewer-brief.md b/tools/sbom-diff-and-risk/docs/reviewer-brief.md index 78c8de8..30d6ee6 100644 --- a/tools/sbom-diff-and-risk/docs/reviewer-brief.md +++ b/tools/sbom-diff-and-risk/docs/reviewer-brief.md @@ -4,7 +4,7 @@ `sbom-diff-and-risk` is a local CLI for comparing two SBOMs or dependency manifests and producing deterministic review artifacts: JSON, Markdown, and SARIF. It is built for conservative supply-chain review, not for vulnerability scanning or package reputation scoring. -Current released version: `v0.7.0`. +Current released version: `v0.8.0`. ## Why this project matters diff --git a/tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md b/tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md index ec3d0b9..b2bed79 100644 --- a/tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md +++ b/tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md @@ -6,7 +6,7 @@ This page is a reproducible evidence checklist for reviewing `sbom-diff-and-risk `sbom-diff-and-risk` is a local-first deterministic CLI for comparing SBOMs and dependency manifests. It is designed to produce stable review evidence for dependency changes. -Current released version: `v0.7.0`. +Current released version: `v0.8.0`. Core identity: @@ -89,19 +89,19 @@ For CI dashboard, job-summary, and local-threshold examples that consume ## Release Verification Path -Start with the GitHub Release for the version under review. For `v0.7.0`, +Start with the GitHub Release for the version under review. For `v0.8.0`, inspect the release and assets: ```powershell -gh release view v0.7.0 ` +gh release view v0.8.0 ` --repo stacknil/scientific-computing-toolkit ` --json tagName,name,isDraft,isPrerelease,assets,url ``` Expected release assets: -- `sbom_diff_and_risk-0.7.0-py3-none-any.whl` -- `sbom_diff_and_risk-0.7.0.tar.gz` +- `sbom_diff_and_risk-0.8.0-py3-none-any.whl` +- `sbom_diff_and_risk-0.8.0.tar.gz` - `sbom-diff-and-risk-SHA256SUMS.txt` The checksum manifest checks local downloaded distribution bytes before or alongside provenance verification: @@ -132,13 +132,13 @@ For workflow-built artifacts downloaded from a trusted workflow run, verify artifact attestations with the signer workflow: ```powershell -gh attestation verify path/to/sbom_diff_and_risk-0.7.0-py3-none-any.whl ` +gh attestation verify path/to/sbom_diff_and_risk-0.8.0-py3-none-any.whl ` --repo stacknil/scientific-computing-toolkit ` --signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml ``` ```powershell -gh attestation verify path/to/sbom_diff_and_risk-0.7.0.tar.gz ` +gh attestation verify path/to/sbom_diff_and_risk-0.8.0.tar.gz ` --repo stacknil/scientific-computing-toolkit ` --signer-workflow stacknil/scientific-computing-toolkit/.github/workflows/sbom-diff-and-risk-ci.yml ``` @@ -148,15 +148,15 @@ releases. Use them only when the repository release is immutable and GitHub has generated release attestations: ```powershell -gh release view v0.7.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url +gh release view v0.8.0 --repo stacknil/scientific-computing-toolkit --json isImmutable,assets,url ``` If `isImmutable` is true, release verification can check the release record and downloaded release assets: ```powershell -gh release verify v0.7.0 --repo stacknil/scientific-computing-toolkit -gh release verify-asset v0.7.0 path/to/sbom_diff_and_risk-0.7.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit +gh release verify v0.8.0 --repo stacknil/scientific-computing-toolkit +gh release verify-asset v0.8.0 path/to/sbom_diff_and_risk-0.8.0-py3-none-any.whl --repo stacknil/scientific-computing-toolkit ``` If `isImmutable` is false, use the workflow artifact attestation path as the primary artifact verification story. diff --git a/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml b/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml index 383612e..b33acde 100644 --- a/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml +++ b/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml @@ -31,15 +31,15 @@ jobs: GH_TOKEN: ${{ github.token }} run: | mkdir -p .tooling/sbom-diff-risk - gh release download v0.7.0 \ + gh release download v0.8.0 \ --repo stacknil/scientific-computing-toolkit \ - --pattern "sbom_diff_and_risk-0.7.0-py3-none-any.whl" \ + --pattern "sbom_diff_and_risk-0.8.0-py3-none-any.whl" \ --dir .tooling/sbom-diff-risk - name: Install sbom-diff-risk run: | python -m pip install \ - .tooling/sbom-diff-risk/sbom_diff_and_risk-0.7.0-py3-none-any.whl + .tooling/sbom-diff-risk/sbom_diff_and_risk-0.8.0-py3-none-any.whl - name: Compare dependency evidence run: |