stacknil · stacknil · Apr 27, 2026 · Apr 27, 2026
diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md
@@ -1,6 +1,6 @@
 # sbom-diff-and-risk
 
-v0.5 PR 5 adds a production PyPI publishing decision gate. Production PyPI publishing remains deferred until the documented prerequisites are complete, dependency analysis stays local and deterministic by default, and CLI analysis behavior is unchanged.
+v0.5.0 is the GitHub Release for the production PyPI decision gate. The TestPyPI dry-run is completed, production PyPI publishing is intentionally deferred, dependency analysis stays local and deterministic by default, and CLI analysis behavior is unchanged.
 
 `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
 

diff --git a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.5.0.md b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.5.0.md
@@ -0,0 +1,34 @@
+# v0.5.0
+
+Theme: production PyPI decision gate
+
+## Highlights
+
+- Added the production PyPI publishing decision gate for `sbom-diff-and-risk`.
+- Confirmed the intended production package name remains `sbom-diff-and-risk`.
+- Documented the future production publisher identity and workflow shape without enabling a production upload path.
+- Clarified that TestPyPI, GitHub workflow artifact attestations, GitHub Release asset verification, and PyPI Trusted Publishing provenance are separate trust surfaces.
+
+## Distribution status
+
+- TestPyPI dry-run completed; production PyPI intentionally deferred.
+- The TestPyPI package exists for version `0.4.1`.
+- The `v0.5.0` release is a GitHub Release and package version bump only.
+- No production PyPI workflow is added in this release.
+- No production PyPI upload is performed by this release.
+
+## Packaging and release alignment
+
+- Bumped the package version to `0.5.0`.
+- Synced `sbom_diff_risk.__version__` with the package metadata.
+- Updated sample SARIF metadata to report `0.5.0`.
+- Updated the README top-level release narrative for the v0.5.0 gate.
+
+## Not in this release
+
+- No analyzer features were added.
+- No SARIF behavior changes were added beyond sample metadata version alignment.
+- No policy behavior changes were added.
+- No hidden network behavior was added.
+- No production PyPI publishing path was enabled.
+
diff --git a/tools/sbom-diff-and-risk/docs/pypi-production-publishing-decision.md b/tools/sbom-diff-and-risk/docs/pypi-production-publishing-decision.md
@@ -11,7 +11,7 @@ PR 5 does not add an enabled production publishing workflow and does not publish
 The production gate is intentionally conservative because:
 
 - the production PyPI project does not currently exist under the intended name
-- the package metadata still declares version `0.4.1`
+- the package metadata has moved to `0.5.0` for the GitHub Release, but production PyPI publishing has not been enabled
 - the first production upload should be a deliberate release version, not an old dry-run version
 - the production PyPI pending publisher or trusted publisher has not been configured
 - the production GitHub environment has not yet been confirmed

diff --git a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.4.1",
-          "semanticVersion": "0.4.1",
+          "version": "0.5.0",
+          "semanticVersion": "0.5.0",
           "rules": [
             {
               "id": "sdr.policy_violation.provenance_required",

diff --git a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.4.1",
-          "semanticVersion": "0.4.1",
+          "version": "0.5.0",
+          "semanticVersion": "0.5.0",
           "rules": [
             {
               "id": "sdr.major_upgrade",

diff --git a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif
@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.4.1",
-          "semanticVersion": "0.4.1",
+          "version": "0.5.0",
+          "semanticVersion": "0.5.0",
           "rules": [
             {
               "id": "sdr.policy_violation.scorecard_below_threshold",

diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sbom-diff-and-risk"
-version = "0.4.1"
+version = "0.5.0"
 description = "Deterministic SBOM diff CLI with heuristic risk reporting."
 readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
 requires-python = ">=3.11"

diff --git a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.4.1"
+__version__ = "0.5.0"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -2,4 +2,4 @@

		__all__ = ["__version__"]

		__version__ = "0.4.1"
		__version__ = "0.5.0"