Skip to content

[codex] Release sbom-diff-and-risk v0.9.0#56

Merged
stacknil merged 1 commit into
mainfrom
codex/release-sbom-diff-risk-v090
May 16, 2026
Merged

[codex] Release sbom-diff-and-risk v0.9.0#56
stacknil merged 1 commit into
mainfrom
codex/release-sbom-diff-risk-v090

Conversation

@stacknil
Copy link
Copy Markdown
Owner

@stacknil stacknil commented May 16, 2026

Brief Design Summary

This PR prepares the sbom-diff-and-risk v0.9.0 GitHub Release.

The release theme is policy JSON sidecar and consumer integration usability. It aligns package metadata, runtime version, SARIF sample metadata, README release narrative, and final release notes with 0.9.0.

This PR does not change repository workflows. It does not add production PyPI publishing, does not publish to PyPI/TestPyPI, and does not create a tag or GitHub Release by itself.

Files Changed

  • tools/sbom-diff-and-risk/pyproject.toml
  • tools/sbom-diff-and-risk/src/sbom_diff_risk/__init__.py
  • tools/sbom-diff-and-risk/README.md
  • tools/sbom-diff-and-risk/RELEASE_NOTES_v0.9.0.md
  • tools/sbom-diff-and-risk/examples/sample-sarif.sarif
  • tools/sbom-diff-and-risk/examples/sample-provenance-report.sarif
  • tools/sbom-diff-and-risk/examples/sample-scorecard-report.sarif

Validation

cd tools/sbom-diff-and-risk
python -m pytest
python -m build
$files = Get-ChildItem dist -File | ForEach-Object { $_.FullName }
python -m twine check $files
git diff --check

Results:

  • python -m pytest: 162 passed
  • python -m build: produced sbom_diff_and_risk-0.9.0.tar.gz and sbom_diff_and_risk-0.9.0-py3-none-any.whl
  • python -m twine check: passed for wheel and sdist
  • git diff --check: passed
  • package metadata version is 0.9.0
  • runtime __version__ is 0.9.0
  • SARIF sample tool metadata is 0.9.0
  • checked changed files for Unicode Cf/Cc control or format characters; no non-tab/newline matches found
  • no workflow files changed
  • production PyPI remains intentionally deferred

Release Steps After Merge

git checkout main
git pull --ff-only
git tag v0.9.0
git push origin v0.9.0

Then verify the tag-gated workflow:

  • test: success
  • build-and-attest: success
  • publish-release-assets: success
  • GitHub Release v0.9.0 exists
  • release assets include wheel, sdist, and sbom-diff-and-risk-SHA256SUMS.txt
  • downloaded assets match SHA256SUMS
  • gh attestation verify succeeds for wheel/sdist if attestations are available
  • production PyPI remains absent/deferred

Out of Scope

  • No runtime behavior changes beyond version metadata
  • No workflow changes
  • No production PyPI workflow
  • No PyPI/TestPyPI publishing
  • No tag or GitHub Release in this PR

@stacknil stacknil merged commit edb50e0 into main May 16, 2026
9 checks passed
@stacknil stacknil deleted the codex/release-sbom-diff-risk-v090 branch May 16, 2026 03:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stacknil