Skip to content

Releases: stacknil/scientific-computing-toolkit

sbom-diff-and-risk v1.0-rc.1

Pre-release

Choose a tag to compare

@github-actions github-actions released this 30 Jun 14:10
6819995

sbom-diff-and-risk v1.0-rc.1

v1.0-rc.1 is the Policy Evidence release candidate.

The Python package metadata version for this tag is 1.0rc1, which is the
PEP 440 form used in the wheel and source distribution filenames.

Theme

Reviewer-stable policy evidence without expanding the tool's claims.

This release candidate turns the post-v0.9.0 policy work into a tighter
review surface: fixed policy decision examples, explicit evidence-confidence
labels, a risk-model boundary, and a minimal CI consumer path.

Highlights

  • Added policy decision examples for pass, warn, fail, and
    consumer-side needs-review.
  • Added summary.evidence_confidence and top-level evidence_confidence
    labels for local_manifest_only, sbom_present, policy_matched,
    enrichment_recorded, and provenance_recorded.
  • Added a one-page policy warning reviewer case that traces an added
    dependency from diff input to local policy warning.
  • Strengthened the risk-model boundary with explicit non-claims: not a CVE
    scanner, not a malware scanner, and not a package safety verdict engine.
  • Added a minimal GitHub Actions consumer workflow that runs the tool, uploads
    policy.json, and fails or passes from the local policy result.
  • Added repository scope and scientific-computing background notes to keep the
    repository from widening beyond the flagship SBOM release surface.

Compatibility and boundaries

  • This is a release candidate, not the final v1.0.0.
  • Production PyPI publishing remains intentionally deferred.
  • The GitHub Release assets are the expected distribution surface for this rc.
  • Default analysis remains local-file based and deterministic.
  • No default network enrichment was added.
  • No CVE lookup, advisory resolution, malware scanning, or package safety
    verdict was added.
  • Policy warnings and failures remain local policy decisions for review.

Release evidence

The tag-gated GitHub Actions workflow builds the wheel and source distribution,
generates a SHA256 checksum manifest, records workflow artifact attestations,
and publishes the same built files as GitHub Release assets.

Expected assets:

  • sbom_diff_and_risk-1.0rc1-py3-none-any.whl
  • sbom_diff_and_risk-1.0rc1.tar.gz
  • sbom-diff-and-risk-SHA256SUMS.txt

Use docs/verification.md, docs/release-provenance.md, and
docs/self-provenance.md for the correct verification path.

sbom-diff-and-risk v0.9.0

Choose a tag to compare

@github-actions github-actions released this 16 May 03:31
edb50e0

Release assets for v0.9.0. See docs/release-provenance.md for provenance verification guidance.

sbom-diff-and-risk v0.8.0

Choose a tag to compare

@github-actions github-actions released this 09 May 14:33
68135e2

sbom-diff-and-risk v0.8.0

v0.8.0 is the policy decision explainability release.

Theme

Policy decision explainability for machine-readable JSON reports.

v0.8.0 focuses on making local policy outcomes easier to inspect from JSON
reports and reviewer documentation. It keeps the dependency diff model,
existing CLI flags, Markdown output behavior, SARIF output behavior, workflows,
release tags, and publishing status unchanged.

Highlights

  • Added stable policy decision explanation fields to JSON policy findings.
  • Documented those fields in
    docs/report-schema.md.
  • Added reviewer-facing interpretation guidance in
    docs/policy-decision-explainability.md.
  • Kept summary.policy unchanged as the compact policy count/status surface.
  • Kept production PyPI intentionally deferred.

Machine-readable policy explainability

Policy findings in JSON reports can now include additive explanation fields:

  • decision_reason
  • policy_rule
  • severity_source
  • matched_threshold
  • observed_value

These fields explain why a local policy rule produced a block, warning, or
suppression. They are policy-decision metadata only; they are not dependency
safety verdicts, CVE results, or proof that a package is safe or unsafe.

The fields appear only on policy finding objects, such as:

  • policy_evaluation.blocking_violations
  • policy_evaluation.warning_violations
  • policy_evaluation.suppressed_violations
  • blocking_findings
  • warning_findings
  • suppressed_findings
  • provenance policy impact sections

Risk findings in risks remain local heuristic findings. They do not receive
policy-decision metadata unless policy evaluation maps them into policy
findings.

JSON schema / compatibility notes

  • The JSON report schema remains conservative and additive where possible.
  • Existing summary.policy behavior is unchanged.
  • Existing --out-json behavior remains the full JSON report output.
  • Existing --summary-json PATH behavior remains summary-only output.
  • Existing policy pass, warn, and fail behavior is unchanged.
  • Existing CLI flags are unchanged.
  • Consumers should treat unrecognized future fields as additive report data.

Documentation and evidence surfaces

The v0.8 documentation keeps the release/distribution evidence surfaces
separate from tool behavior. GitHub workflow artifact attestations, GitHub
Release asset verification, TestPyPI Trusted Publishing validation, and future
production PyPI Trusted Publishing provenance answer different trust questions.

Distribution status

  • The v0.8.0 GitHub Release is expected to be created from the tag-gated
    release workflow.
  • Release assets are expected to include the wheel, source distribution, and
    sbom-diff-and-risk-SHA256SUMS.txt.
  • This release does not publish to TestPyPI.
  • This release does not publish to production PyPI.
  • Production PyPI publishing remains intentionally deferred.
  • No production PyPI workflow is added.

Not in this release

  • No new CLI flags.
  • No Markdown output behavior changes.
  • No SARIF output behavior changes.
  • No workflow changes.
  • No PyPI/TestPyPI publishing.
  • No production PyPI workflow.
  • No hidden network behavior.
  • No CVE lookup or CVE resolution.
  • No dependency safety verdicts.

sbom-diff-and-risk v0.7.0

Choose a tag to compare

@github-actions github-actions released this 04 May 13:41
d1b9852

Release assets for v0.7.0. See docs/release-provenance.md for provenance verification guidance.

sbom-diff-and-risk v0.6.0

Choose a tag to compare

@github-actions github-actions released this 01 May 11:31
1bbaabc

Release assets for v0.6.0. See docs/release-provenance.md for provenance verification guidance.

sbom-diff-and-risk v0.5.1

Choose a tag to compare

@stacknil stacknil released this 28 Apr 10:09
d972beb

sbom-diff-and-risk v0.5.1

Release-only maintenance update.

  • Adds sbom-diff-and-risk-SHA256SUMS.txt to GitHub Release assets.
  • Keeps CLI behavior unchanged.
  • Keeps production PyPI deferred.

sbom-diff-and-risk v0.5.0

Choose a tag to compare

@github-actions github-actions released this 27 Apr 03:19
0012cc5

v0.5.0

Theme: production PyPI decision gate

Highlights

  • Added the production PyPI publishing decision gate for sbom-diff-and-risk.
  • Confirmed the intended production package name remains sbom-diff-and-risk.
  • Documented the future production publisher identity and workflow shape without enabling a production upload path.
  • Clarified that TestPyPI, GitHub workflow artifact attestations, GitHub Release asset verification, and PyPI Trusted Publishing provenance are separate trust surfaces.

Distribution status

  • TestPyPI dry-run completed; production PyPI intentionally deferred.
  • The TestPyPI package exists for version 0.4.1.
  • The v0.5.0 release is a GitHub Release and package version bump only.
  • No production PyPI workflow is added in this release.
  • No production PyPI upload is performed by this release.

Packaging and release alignment

  • Bumped the package version to 0.5.0.
  • Synced sbom_diff_risk.__version__ with the package metadata.
  • Updated sample SARIF metadata to report 0.5.0.
  • Updated the README top-level release narrative for the v0.5.0 gate.

Not in this release

  • No analyzer features were added.
  • No SARIF behavior changes were added beyond sample metadata version alignment.
  • No policy behavior changes were added.
  • No hidden network behavior was added.
  • No production PyPI publishing path was enabled.

sbom-diff-and-risk v0.4.1

Choose a tag to compare

@github-actions github-actions released this 22 Apr 07:00

v0.4.1

  • release asset automation fix
  • tag-path release publishing validation
  • no CLI analysis changes

sbom-diff-and-risk v0.4.0

Choose a tag to compare

@stacknil stacknil released this 21 Apr 19:36

v0.4.0

Theme: release/distribution provenance hardening

Highlights

  • Clarified the GitHub-hosted provenance story for sbom-diff-and-risk workflow-built artifacts and GitHub Release assets.
  • Kept workflow artifact attestation and GitHub Release verification as explicit, separate consumer verification surfaces.
  • Documented PyPI Trusted Publishing readiness and sequencing, while intentionally not enabling PyPI publishing yet.

Verification story

  • Workflow-built wheel and source distribution artifacts remain verifiable through gh attestation verify.
  • Version-tag releases can publish those same built files as GitHub Release assets, with consumer guidance for gh release verify and gh release verify-asset.
  • Verification docs now point users more directly to the right path depending on whether they want to verify the tool itself or analyze third-party dependency provenance with the tool.

Packaging and release alignment

  • Bumped the package version to 0.4.0.
  • Synced the README top-level version narrative with the v0.4.0 release hardening theme.
  • Updated example SARIF outputs and PyPI readiness notes to reference the 0.4.0 package line consistently.

Not in this release

  • No PyPI publishing is enabled yet.
  • No new CLI analysis features were added.
  • Default CLI behavior remains local and deterministic, with no hidden network access.

sbom-diff-and-risk v0.3.0

Choose a tag to compare

@stacknil stacknil released this 19 Apr 10:04
159613e
  • opt-in PyPI provenance enrichment
  • provenance-aware policy
  • provenance-aware report/SARIF behavior
  • self-provenance verification for workflow-built artifacts