[codex] Add checked-in GitHub Actions consumer workflow example

[stacknil]

Brief Design Summary

This PR adds a checked-in GitHub Actions consumer workflow example for sbom-diff-risk.

The example lives under tools/sbom-diff-and-risk/examples/, not .github/workflows/, so it is documentation/example material for consumer repositories to copy if useful. It installs from the v0.6.0 GitHub Release wheel, runs compare, writes JSON, Markdown, summary JSON, and SARIF outputs, applies an explicit local summary.json threshold, and uploads the generated files as CI artifacts.

Production PyPI remains intentionally deferred. The example does not use secrets, real internal paths, private repository names, production PyPI, hidden network behavior, or built-in dependency safety verdict claims.

Files Changed

• tools/sbom-diff-and-risk/examples/github-actions-consumer.yml
• tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md
• tools/sbom-diff-and-risk/README.md

Validation

• git diff --check passed.
• Parsed the example YAML with PyYAML to confirm the top-level name and job key load.
• Ran a broad Unicode Cf/Cc scan on touched files; no non-tab/newline control or format characters found.
• Confirmed relative link targets exist.
• Confirmed .github/workflows/ unchanged.
• Confirmed package version remains 0.6.0.
• No Python tests run because this is docs/example-only.

Out of Scope

• No runtime behavior changes
• No CLI behavior changes
• No report schema changes
• No tests changes
• No repository workflow changes
• No package metadata changes
• No release tag changes
• No PyPI/TestPyPI publishing
• No production PyPI workflow

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 754b2cd4ec

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Upload artifacts even when threshold check fails

If new_package_count exceeds the threshold, the prior step exits non-zero, and this upload step is skipped because GitHub Actions applies a default success() condition to steps without an explicit status check. In that common policy-failure scenario, the workflow drops report.json, report.md, summary.json, and report.sarif, which prevents reviewers from inspecting the exact failure output; add an explicit condition such as if: ${{ always() }} (or !cancelled()) on the upload step to retain artifacts for failed runs.

Useful? React with 👍 / 👎.