[codex] sbom-diff-and-risk v0.4 release hardening

[stacknil]

Summary

• align sbom-diff-and-risk workflow baselines and naming for CI, code scanning, and release assets
• document workflow artifact verification, release asset verification, and PyPI Trusted Publishing readiness
• clarify the UX split between verifying the tool itself and using it to analyze third-party dependency provenance

Local validation

• git diff --check
• workflow YAML parse sanity check
• python -m build
• python -m twine check

Notes

• no CLI behavior changes
• no PyPI publishing enabled in this PR
• release asset publication remains GitHub Release focused

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1eba53c798

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Provide repo context before running gh release commands

In publish-release-assets, the step invokes gh release view/create/upload/edit but never checks out the repo and does not pass --repo (or set GH_REPO), so these commands can fail to resolve a target repository in GitHub Actions and abort tag-release publication. GitHub CLI documents GH_REPO as required for commands that otherwise rely on local-repo context; without checkout in this job, tag pushes can fail before assets are uploaded.

Useful? React with 👍 / 👎.