[codex] Release sbom-diff-and-risk v0.7.0

Release sbom-diff-and-risk v0.7.0 metadata and notes for consumer integration usability. No runtime behavior, workflow, production PyPI, or PyPI/TestPyPI publishing changes.

Author: stacknil

tools/sbom-diff-and-risk/README.md

@@ -1,6 +1,6 @@
 # sbom-diff-and-risk
 
-v0.6.0 is the machine-readable report consumption release. It documents the stable JSON `summary` contract, adds report schema guidance, and includes optional `--summary-json PATH` output for consumers that only need `report.json["summary"]`. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
+v0.7.0 is the consumer integration usability release. It adds CI-facing documentation and checked-in examples for consuming `summary.json`, using local thresholds, and running `sbom-diff-risk` from a consumer GitHub Actions workflow. It keeps CLI analysis behavior unchanged, keeps dependency analysis local and deterministic by default, preserves the completed TestPyPI dry-run story, and keeps production PyPI publishing intentionally deferred.
 
 `sbom-diff-and-risk` is a local, deterministic CLI for comparing two SBOMs or dependency manifests and producing JSON plus Markdown reports.
 

tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md

@@ -1,29 +1,24 @@
 # sbom-diff-and-risk v0.7.0
 
-Draft release notes for `v0.7.0`.
-
-Release notes file: `RELEASE_NOTES_v0.7.0.md`.
-
-This PR only drafts release notes. It does not bump package version, create a
-tag, publish a GitHub Release, or publish to PyPI/TestPyPI.
+`v0.7.0` is the consumer integration usability release.
 
 ## Theme
 
 Consumer integration usability.
 
-`v0.7.0` focuses on consumer-facing examples and CI integration guidance for the
-existing machine-readable summary output. It does not change the core dependency
-diff model, CLI behavior, JSON report schema, Markdown output, SARIF output,
-workflows, release tags, or publishing status.
+`v0.7.0` focuses on consumer-facing examples and CI integration guidance for
+the existing machine-readable summary output. It does not change the core
+dependency diff model, CLI behavior, JSON report schema, Markdown output,
+SARIF output, workflows, release tags, or publishing status.
 
 ## Highlights
 
 - Added a summary JSON CI cookbook in
   [docs/summary-json-ci-cookbook.md](docs/summary-json-ci-cookbook.md).
 - Added a checked-in summary-only example artifact at
   [examples/sample-summary.json](examples/sample-summary.json).
-- Added a consumer-facing GitHub Actions example in
-  [docs/github-actions-consumer-example.md](docs/github-actions-consumer-example.md).
+- Added a consumer-facing GitHub Actions
+  [consumer example](docs/github-actions-consumer-example.md).
 - Documented explicit local thresholding with `summary.json`.
 - Documented a GitHub Release wheel installation path for consumer workflows.
 - Kept production PyPI intentionally deferred.
@@ -45,8 +40,8 @@ and apply local thresholds chosen by the consuming repository.
 
 The GitHub Actions consumer example shows how another repository can install
 `sbom-diff-risk` from GitHub Release assets instead of production PyPI, run
-`compare`, write JSON, Markdown, summary JSON, and SARIF outputs, and upload the
-generated files as CI artifacts.
+`compare`, write JSON, Markdown, summary JSON, and SARIF outputs, and upload
+the generated files as CI artifacts.
 
 `summary.json` thresholding is a local consumer policy choice. It is not a
 built-in dependency safety verdict.
@@ -67,10 +62,12 @@ built-in dependency safety verdict.
 
 ## Distribution status
 
-- The latest published GitHub Release before this draft is `v0.6.0`.
-- This PR does not tag or publish `v0.7.0`.
-- This PR does not publish to TestPyPI.
-- This PR does not publish to production PyPI.
+- The `v0.7.0` GitHub Release is expected to be created from the tag-gated
+  release workflow.
+- Release assets are expected to include the wheel, source distribution, and
+  `sbom-diff-and-risk-SHA256SUMS.txt`.
+- This release does not publish to TestPyPI.
+- This release does not publish to production PyPI.
 - Production PyPI publishing remains intentionally deferred.
 - The GitHub Actions consumer example installs from GitHub Release assets, not
   production PyPI.
@@ -82,8 +79,6 @@ built-in dependency safety verdict.
 - No Markdown output behavior changes.
 - No SARIF output behavior changes.
 - No workflow changes.
-- No package version bump.
-- No release tag or GitHub Release creation in this PR.
 - No PyPI/TestPyPI publishing.
 - No production PyPI workflow.
 - No CVE lookup or CVE resolution.

tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.6.0",
-          "semanticVersion": "0.6.0",
+          "version": "0.7.0",
+          "semanticVersion": "0.7.0",
           "rules": [
             {
               "id": "sdr.policy_violation.provenance_required",

tools/sbom-diff-and-risk/examples/sample-sarif.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.6.0",
-          "semanticVersion": "0.6.0",
+          "version": "0.7.0",
+          "semanticVersion": "0.7.0",
           "rules": [
             {
               "id": "sdr.major_upgrade",

tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

@@ -7,8 +7,8 @@
         "driver": {
           "name": "sbom-diff-risk",
           "fullName": "sbom-diff-risk",
-          "version": "0.6.0",
-          "semanticVersion": "0.6.0",
+          "version": "0.7.0",
+          "semanticVersion": "0.7.0",
           "rules": [
             {
               "id": "sdr.policy_violation.scorecard_below_threshold",

tools/sbom-diff-and-risk/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "sbom-diff-and-risk"
-version = "0.6.0"
+version = "0.7.0"
 description = "Deterministic SBOM diff CLI with heuristic risk reporting."
 readme = { file = "PYPI_DESCRIPTION.md", content-type = "text/markdown" }
 requires-python = ">=3.11"

tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py

@@ -2,4 +2,4 @@
 
 __all__ = ["__version__"]
 
-__version__ = "0.6.0"
+__version__ = "0.7.0"