Releases: stacknil/scientific-computing-toolkit
Release list
sbom-diff-and-risk v1.0-rc.1
sbom-diff-and-risk v1.0-rc.1
v1.0-rc.1 is the Policy Evidence release candidate.
The Python package metadata version for this tag is 1.0rc1, which is the
PEP 440 form used in the wheel and source distribution filenames.
Theme
Reviewer-stable policy evidence without expanding the tool's claims.
This release candidate turns the post-v0.9.0 policy work into a tighter
review surface: fixed policy decision examples, explicit evidence-confidence
labels, a risk-model boundary, and a minimal CI consumer path.
Highlights
- Added policy decision examples for
pass,warn,fail, and
consumer-sideneeds-review. - Added
summary.evidence_confidenceand top-levelevidence_confidence
labels forlocal_manifest_only,sbom_present,policy_matched,
enrichment_recorded, andprovenance_recorded. - Added a one-page policy warning reviewer case that traces an added
dependency from diff input to local policy warning. - Strengthened the risk-model boundary with explicit non-claims: not a CVE
scanner, not a malware scanner, and not a package safety verdict engine. - Added a minimal GitHub Actions consumer workflow that runs the tool, uploads
policy.json, and fails or passes from the local policy result. - Added repository scope and scientific-computing background notes to keep the
repository from widening beyond the flagship SBOM release surface.
Compatibility and boundaries
- This is a release candidate, not the final
v1.0.0. - Production PyPI publishing remains intentionally deferred.
- The GitHub Release assets are the expected distribution surface for this rc.
- Default analysis remains local-file based and deterministic.
- No default network enrichment was added.
- No CVE lookup, advisory resolution, malware scanning, or package safety
verdict was added. - Policy warnings and failures remain local policy decisions for review.
Release evidence
The tag-gated GitHub Actions workflow builds the wheel and source distribution,
generates a SHA256 checksum manifest, records workflow artifact attestations,
and publishes the same built files as GitHub Release assets.
Expected assets:
sbom_diff_and_risk-1.0rc1-py3-none-any.whlsbom_diff_and_risk-1.0rc1.tar.gzsbom-diff-and-risk-SHA256SUMS.txt
Use docs/verification.md, docs/release-provenance.md, and
docs/self-provenance.md for the correct verification path.
sbom-diff-and-risk v0.9.0
Release assets for v0.9.0. See docs/release-provenance.md for provenance verification guidance.
sbom-diff-and-risk v0.8.0
sbom-diff-and-risk v0.8.0
v0.8.0 is the policy decision explainability release.
Theme
Policy decision explainability for machine-readable JSON reports.
v0.8.0 focuses on making local policy outcomes easier to inspect from JSON
reports and reviewer documentation. It keeps the dependency diff model,
existing CLI flags, Markdown output behavior, SARIF output behavior, workflows,
release tags, and publishing status unchanged.
Highlights
- Added stable policy decision explanation fields to JSON policy findings.
- Documented those fields in
docs/report-schema.md. - Added reviewer-facing interpretation guidance in
docs/policy-decision-explainability.md. - Kept
summary.policyunchanged as the compact policy count/status surface. - Kept production PyPI intentionally deferred.
Machine-readable policy explainability
Policy findings in JSON reports can now include additive explanation fields:
decision_reasonpolicy_ruleseverity_sourcematched_thresholdobserved_value
These fields explain why a local policy rule produced a block, warning, or
suppression. They are policy-decision metadata only; they are not dependency
safety verdicts, CVE results, or proof that a package is safe or unsafe.
The fields appear only on policy finding objects, such as:
policy_evaluation.blocking_violationspolicy_evaluation.warning_violationspolicy_evaluation.suppressed_violationsblocking_findingswarning_findingssuppressed_findings- provenance policy impact sections
Risk findings in risks remain local heuristic findings. They do not receive
policy-decision metadata unless policy evaluation maps them into policy
findings.
JSON schema / compatibility notes
- The JSON report schema remains conservative and additive where possible.
- Existing
summary.policybehavior is unchanged. - Existing
--out-jsonbehavior remains the full JSON report output. - Existing
--summary-json PATHbehavior remains summary-only output. - Existing policy pass, warn, and fail behavior is unchanged.
- Existing CLI flags are unchanged.
- Consumers should treat unrecognized future fields as additive report data.
Documentation and evidence surfaces
- JSON report schema:
docs/report-schema.md - Policy schema:
docs/policy-schema.md - Policy decision explainability:
docs/policy-decision-explainability.md - Reviewer evidence pack:
docs/reviewer-evidence-pack.md - GitHub Actions consumer example:
docs/github-actions-consumer-example.md - Production PyPI decision gate:
docs/pypi-production-publishing-decision.md
The v0.8 documentation keeps the release/distribution evidence surfaces
separate from tool behavior. GitHub workflow artifact attestations, GitHub
Release asset verification, TestPyPI Trusted Publishing validation, and future
production PyPI Trusted Publishing provenance answer different trust questions.
Distribution status
- The
v0.8.0GitHub Release is expected to be created from the tag-gated
release workflow. - Release assets are expected to include the wheel, source distribution, and
sbom-diff-and-risk-SHA256SUMS.txt. - This release does not publish to TestPyPI.
- This release does not publish to production PyPI.
- Production PyPI publishing remains intentionally deferred.
- No production PyPI workflow is added.
Not in this release
- No new CLI flags.
- No Markdown output behavior changes.
- No SARIF output behavior changes.
- No workflow changes.
- No PyPI/TestPyPI publishing.
- No production PyPI workflow.
- No hidden network behavior.
- No CVE lookup or CVE resolution.
- No dependency safety verdicts.
sbom-diff-and-risk v0.7.0
Release assets for v0.7.0. See docs/release-provenance.md for provenance verification guidance.
sbom-diff-and-risk v0.6.0
Release assets for v0.6.0. See docs/release-provenance.md for provenance verification guidance.
sbom-diff-and-risk v0.5.1
sbom-diff-and-risk v0.5.1
Release-only maintenance update.
- Adds
sbom-diff-and-risk-SHA256SUMS.txtto GitHub Release assets. - Keeps CLI behavior unchanged.
- Keeps production PyPI deferred.
sbom-diff-and-risk v0.5.0
v0.5.0
Theme: production PyPI decision gate
Highlights
- Added the production PyPI publishing decision gate for
sbom-diff-and-risk. - Confirmed the intended production package name remains
sbom-diff-and-risk. - Documented the future production publisher identity and workflow shape without enabling a production upload path.
- Clarified that TestPyPI, GitHub workflow artifact attestations, GitHub Release asset verification, and PyPI Trusted Publishing provenance are separate trust surfaces.
Distribution status
- TestPyPI dry-run completed; production PyPI intentionally deferred.
- The TestPyPI package exists for version
0.4.1. - The
v0.5.0release is a GitHub Release and package version bump only. - No production PyPI workflow is added in this release.
- No production PyPI upload is performed by this release.
Packaging and release alignment
- Bumped the package version to
0.5.0. - Synced
sbom_diff_risk.__version__with the package metadata. - Updated sample SARIF metadata to report
0.5.0. - Updated the README top-level release narrative for the v0.5.0 gate.
Not in this release
- No analyzer features were added.
- No SARIF behavior changes were added beyond sample metadata version alignment.
- No policy behavior changes were added.
- No hidden network behavior was added.
- No production PyPI publishing path was enabled.
sbom-diff-and-risk v0.4.1
v0.4.1
- release asset automation fix
- tag-path release publishing validation
- no CLI analysis changes
sbom-diff-and-risk v0.4.0
v0.4.0
Theme: release/distribution provenance hardening
Highlights
- Clarified the GitHub-hosted provenance story for
sbom-diff-and-riskworkflow-built artifacts and GitHub Release assets. - Kept workflow artifact attestation and GitHub Release verification as explicit, separate consumer verification surfaces.
- Documented PyPI Trusted Publishing readiness and sequencing, while intentionally not enabling PyPI publishing yet.
Verification story
- Workflow-built wheel and source distribution artifacts remain verifiable through
gh attestation verify. - Version-tag releases can publish those same built files as GitHub Release assets, with consumer guidance for
gh release verifyandgh release verify-asset. - Verification docs now point users more directly to the right path depending on whether they want to verify the tool itself or analyze third-party dependency provenance with the tool.
Packaging and release alignment
- Bumped the package version to
0.4.0. - Synced the README top-level version narrative with the
v0.4.0release hardening theme. - Updated example SARIF outputs and PyPI readiness notes to reference the
0.4.0package line consistently.
Not in this release
- No PyPI publishing is enabled yet.
- No new CLI analysis features were added.
- Default CLI behavior remains local and deterministic, with no hidden network access.
sbom-diff-and-risk v0.3.0
- opt-in PyPI provenance enrichment
- provenance-aware policy
- provenance-aware report/SARIF behavior
- self-provenance verification for workflow-built artifacts