[codex] Release sbom-diff-and-risk v0.4.1

Author: stacknil

tools/sbom-diff-and-risk/README.md

@@ -1,6 +1,6 @@
 # sbom-diff-and-risk
 
-v0.4.0 focuses on release/distribution provenance hardening while keeping dependency analysis local and deterministic by default. It clarifies how consumers verify `sbom-diff-and-risk` itself through workflow-built artifacts and GitHub Release assets, and it documents PyPI Trusted Publishing readiness without enabling PyPI publishing yet.
+v0.4.1 is a narrow release-only follow-up that validates the repaired tag-path GitHub Release asset publishing flow. It keeps dependency analysis local and deterministic by default and does not change CLI analysis behavior.
 
 `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
 

tools/sbom-diff-and-risk/RELEASE_NOTES_v0.4.1.md

@@ -0,0 +1,5 @@
+# v0.4.1
+
+- release asset automation fix
+- tag-path release publishing validation
+- no CLI analysis changes

tools/sbom-diff-and-risk/docs/pypi-trusted-publishing-readiness.md

@@ -33,7 +33,7 @@ The main blockers are packaging and release-readiness concerns, not OIDC support
    - a pending publisher for a new `sbom-diff-and-risk` project, or
    - a trusted publisher entry on an existing PyPI project
 4. PyPI release sequencing is still intentionally deferred.
-   The repository now builds version `0.4.0` and has GitHub-hosted release hardening in place, but PyPI publishing is still not enabled in this repository flow.
+   The repository now builds version `0.4.1` and has GitHub-hosted release hardening in place, but PyPI publishing is still not enabled in this repository flow.
 
 Because of those gaps, enabling a publish job now would create a fragile or misleading path.
 
@@ -78,7 +78,7 @@ python -m twine check $files
 
 ### 2. Decide the first PyPI-published version and release sequence
 
-- Decide whether the first PyPI upload should be `0.4.0` or a later release.
+- Decide whether the first PyPI upload should be `0.4.1` or a later release.
 - Ensure the tag, package version, release notes, GitHub Release assets, and PyPI upload plan all refer to the same version.
 
 ### 3. Configure PyPI-side Trusted Publishing

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.4.0",
-          "semanticVersion": "0.4.0",
+          "version": "0.4.1",
+          "semanticVersion": "0.4.1",
           "rules": [
             {
               "id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.4.0",
-          "semanticVersion": "0.4.0",
+          "version": "0.4.1",
+          "semanticVersion": "0.4.1",
           "rules": [
             {
               "id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.4.0",
-          "semanticVersion": "0.4.0",
+          "version": "0.4.1",
+          "semanticVersion": "0.4.1",
           "rules": [
             {
               "id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sbom-diff-and-risk"
-version = "0.4.0"
+version = "0.4.1"
 description = "Local, deterministic SBOM diff and heuristic risk reporting."
 readme = "README.md"
 requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.4.0"
+__version__ = "0.4.1"