Skip to content

[codex] Release sbom-diff-and-risk v0.6.0#30

Merged
stacknil merged 1 commit intomainfrom
codex/release-sbom-diff-risk-v060
May 1, 2026
Merged

[codex] Release sbom-diff-and-risk v0.6.0#30
stacknil merged 1 commit intomainfrom
codex/release-sbom-diff-risk-v060

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented May 1, 2026

Brief Design Summary

This PR prepares the sbom-diff-and-risk v0.6.0 GitHub Release.

The release theme is machine-readable report consumption and summary-output usability. It aligns package metadata, runtime version, SARIF sample metadata, README release narrative, and release notes with 0.6.0.

This PR does not change runtime behavior. It does not add production PyPI publishing, does not modify workflows, and does not publish to PyPI/TestPyPI.

Files Changed

  • tools/sbom-diff-and-risk/pyproject.toml
  • tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
  • tools/sbom-diff-and-risk/README.md
  • tools/sbom-diff-and-risk/RELEASE_NOTES_v0.6.0.md
  • tools/sbom-diff-and-risk/examples/sample-sarif.sarif
  • tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
  • tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Validation

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

  • python -m pytest: 153 passed
  • build produced:
    • sbom_diff_and_risk-0.6.0.tar.gz
    • sbom_diff_and_risk-0.6.0-py3-none-any.whl
  • twine check: passed for wheel and sdist
  • git diff --check: passed
  • package metadata version is 0.6.0
  • runtime __version__ is 0.6.0
  • SARIF sample tool metadata is 0.6.0
  • no production PyPI workflow exists
  • production PyPI remains intentionally deferred

Release Steps After Merge

git checkout main
git pull --ff-only
git tag v0.6.0
git push origin v0.6.0

Then verify the tag-gated workflow:

  • test: success
  • build-and-attest: success
  • publish-release-assets: success
  • GitHub Release v0.6.0 exists
  • release assets include:
    • sbom_diff_and_risk-0.6.0-py3-none-any.whl
    • sbom_diff_and_risk-0.6.0.tar.gz
    • sbom-diff-and-risk-SHA256SUMS.txt
  • downloaded assets match SHA256SUMS
  • gh attestation verify succeeds for wheel/sdist if attestations are available
  • production PyPI remains absent/deferred

Out of Scope

  • No runtime behavior changes
  • No CLI behavior changes beyond already-merged --summary-json
  • No Markdown/SARIF behavior changes beyond version metadata
  • No workflow changes
  • No production PyPI workflow
  • No PyPI/TestPyPI publishing

stacknil
stacknil commented May 1, 2026
View reviewed changes
Copy link
Copy Markdown
Owner Author

@stacknil stacknil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed. Scope is clean.

This release PR only aligns v0.6.0 metadata, runtime version, SARIF sample metadata, README release narrative, and release notes.

Confirmed boundaries:

  • no runtime behavior change
  • no workflow change
  • no production PyPI workflow
  • no PyPI/TestPyPI publish
  • production PyPI remains intentionally deferred

Approved to merge once the required review gate is satisfied.

@stacknil stacknil merged commit 1bbaabc into main May 1, 2026
9 checks passed
@stacknil stacknil deleted the codex/release-sbom-diff-risk-v060 branch May 1, 2026 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stacknil