From 36466a22f8904a6e4d079a4a7db709e0cf0bbf20 Mon Sep 17 00:00:00 2001 From: stacknil Date: Fri, 1 May 2026 17:33:25 +0800 Subject: [PATCH] release sbom-diff-and-risk v0.6.0 --- tools/sbom-diff-and-risk/README.md | 2 +- .../sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md | 17 ++++++++--------- .../examples/sample-provenance-report.sarif | 4 ++-- .../examples/sample-sarif.sarif | 4 ++-- .../examples/sample-scorecard-report.sarif | 4 ++-- tools/sbom-diff-and-risk/pyproject.toml | 2 +- .../src/sbom_diff_risk/__init__.py | 2 +- 7 files changed, 17 insertions(+), 18 deletions(-) diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md index 4138327..11125f6 100644 --- a/tools/sbom-diff-and-risk/README.md +++ b/tools/sbom-diff-and-risk/README.md @@ -1,6 +1,6 @@ # sbom-diff-and-risk -v0.5.1 is a release-only maintenance update for the GitHub Release checksum manifest path. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred. +v0.6.0 is the machine-readable report consumption release. It documents the stable JSON `summary` contract, adds report schema guidance, and includes optional `--summary-json PATH` output for consumers that only need `report.json["summary"]`. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred. `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports. diff --git a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md index fa65686..8e9a974 100644 --- a/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md +++ b/tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md @@ -1,12 +1,12 @@ -# sbom-diff-and-risk v0.6.0 draft release notes +# sbom-diff-and-risk v0.6.0 -These are draft release notes for the planned `v0.6.0` release. This PR does not tag or publish `v0.6.0`, does not create a GitHub Release, and does not publish to PyPI or TestPyPI. +`v0.6.0` is the machine-readable report consumption and summary-output usability release. ## Theme Machine-readable report consumption and summary-output usability. -`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, package version, or publishing status. +`v0.6.0` focuses on making the existing JSON report easier to consume from automation without changing the core dependency diff model, Markdown output, SARIF output, workflows, or publishing status. ## Highlights @@ -52,11 +52,11 @@ These surfaces remain distinct: GitHub workflow artifact attestations, GitHub Re ## Distribution status -- Latest GitHub Release remains `v0.5.1` until a future release PR creates the `v0.6.0` tag and release. -- This PR does not tag or publish `v0.6.0`. -- This PR does not create a GitHub Release. -- This PR does not publish to TestPyPI. -- This PR does not publish to production PyPI. +- The `v0.6.0` GitHub Release is expected to be created from the tag-gated release workflow. +- Release assets are expected to include the wheel, source distribution, and `sbom-diff-and-risk-SHA256SUMS.txt`. +- TestPyPI Trusted Publishing dry-run validation remains documented as pre-production evidence. +- This release does not publish to TestPyPI. +- This release does not publish to production PyPI. - Production PyPI remains intentionally deferred. ## Not in this release @@ -64,7 +64,6 @@ These surfaces remain distinct: GitHub workflow artifact attestations, GitHub Re - No Markdown output behavior changed. - No SARIF behavior changed. - No workflow behavior changed. -- No package version bump is included in this draft-notes PR. - No production PyPI workflow is added. - No hidden network behavior was added. - No CVE lookup or CVE resolution was added. diff --git a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif index edd83ff..73c2365 100644 --- a/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.5.1", - "semanticVersion": "0.5.1", + "version": "0.6.0", + "semanticVersion": "0.6.0", "rules": [ { "id": "sdr.policy_violation.provenance_required", diff --git a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif index 4b47a5b..8821102 100644 --- a/tools/sbom-diff-and-risk/examples/sample-sarif.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-sarif.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.5.1", - "semanticVersion": "0.5.1", + "version": "0.6.0", + "semanticVersion": "0.6.0", "rules": [ { "id": "sdr.major_upgrade", diff --git a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif index 5fd9f34..0dcff3b 100644 --- a/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif +++ b/tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif @@ -7,8 +7,8 @@ "driver": { "name": "sbom-diff-risk", "fullName": "sbom-diff-risk", - "version": "0.5.1", - "semanticVersion": "0.5.1", + "version": "0.6.0", + "semanticVersion": "0.6.0", "rules": [ { "id": "sdr.policy_violation.scorecard_below_threshold", diff --git a/tools/sbom-diff-and-risk/pyproject.toml b/tools/sbom-diff-and-risk/pyproject.toml index 256ed6a..1f4920f 100644 --- a/tools/sbom-diff-and-risk/pyproject.toml +++ b/tools/sbom-diff-and-risk/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "sbom-diff-and-risk" -version = "0.5.1" +version = "0.6.0" description = "Deterministic SBOM diff CLI with heuristic risk reporting." readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" } requires-python = ">=3.11" diff --git a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py index a665cc0..d10344c 100644 --- a/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py +++ b/tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py @@ -2,4 +2,4 @@ __all__ = ["__version__"] -__version__ = "0.5.1" +__version__ = "0.6.0"