[codex] Release sbom-diff-and-risk v0.7.0

[stacknil]

Brief Design Summary

This PR prepares the sbom-diff-and-risk v0.7.0 GitHub Release.

The release theme is consumer integration usability. It aligns package metadata, runtime version, SARIF sample metadata, README release narrative, and release notes with 0.7.0.

This PR does not change runtime behavior. It does not modify workflows, does not add production PyPI publishing, and does not publish to PyPI/TestPyPI.

Files Changed

• tools/sbom-diff-and-risk/pyproject.toml
• tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
• tools/sbom-diff-and-risk/README.md
• tools/sbom-diff-and-risk/RELEASE_NOTES_v0.7.0.md
• tools/sbom-diff-and-risk/examples/sample-sarif.sarif
• tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
• tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Validation Commands and Results

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

• python -m pytest: 154 passed
• python -m build: passed, produced sbom_diff_and_risk-0.7.0.tar.gz and sbom_diff_and_risk-0.7.0-py3-none-any.whl
• python -m twine check: passed for wheel and sdist
• git diff --check: passed
• package metadata version is 0.7.0
• runtime __version__ is 0.7.0
• SARIF sample tool version / semanticVersion are 0.7.0
• .github/workflows/ unchanged
• no production PyPI workflow exists
• production PyPI remains intentionally deferred in release notes

Release Steps After Merge

git checkout main
git pull --ff-only
git tag v0.7.0
git push origin v0.7.0

Then verify the tag-gated workflow:

gh run list --workflow sbom-diff-and-risk-ci.yml --limit 5
gh run watch <RUN_ID>
gh run view <RUN_ID> --log

Expected release verification:

• test: success
• build-and-attest: success
• publish-release-assets: success
• GitHub Release v0.7.0 exists
• Release assets include:
  • sbom_diff_and_risk-0.7.0-py3-none-any.whl
  • sbom_diff_and_risk-0.7.0.tar.gz
  • sbom-diff-and-risk-SHA256SUMS.txt
• Downloaded assets match SHA256SUMS
• gh attestation verify succeeds for wheel and sdist if attestations are available
• production PyPI remains absent/deferred

Out of Scope

• No runtime behavior changes
• No CLI behavior changes
• No workflow changes
• No production PyPI workflow
• No PyPI/TestPyPI publishing

[stacknil]

Reflowed RELEASE_NOTES_v0.7.0.md so the GitHub Release body will render cleanly. No runtime, workflow, publishing, or version-scope changes beyond the planned v0.7.0 metadata alignment.