Releases: stacknil/scientific-computing-toolkit
Releases · stacknil/scientific-computing-toolkit
sbom-diff-and-risk v0.7.0
Release assets for v0.7.0. See docs/release-provenance.md for provenance verification guidance.
sbom-diff-and-risk v0.6.0
Release assets for v0.6.0. See docs/release-provenance.md for provenance verification guidance.
sbom-diff-and-risk v0.5.1
sbom-diff-and-risk v0.5.1
Release-only maintenance update.
- Adds
sbom-diff-and-risk-SHA256SUMS.txtto GitHub Release assets. - Keeps CLI behavior unchanged.
- Keeps production PyPI deferred.
sbom-diff-and-risk v0.5.0
v0.5.0
Theme: production PyPI decision gate
Highlights
- Added the production PyPI publishing decision gate for
sbom-diff-and-risk. - Confirmed the intended production package name remains
sbom-diff-and-risk. - Documented the future production publisher identity and workflow shape without enabling a production upload path.
- Clarified that TestPyPI, GitHub workflow artifact attestations, GitHub Release asset verification, and PyPI Trusted Publishing provenance are separate trust surfaces.
Distribution status
- TestPyPI dry-run completed; production PyPI intentionally deferred.
- The TestPyPI package exists for version
0.4.1. - The
v0.5.0release is a GitHub Release and package version bump only. - No production PyPI workflow is added in this release.
- No production PyPI upload is performed by this release.
Packaging and release alignment
- Bumped the package version to
0.5.0. - Synced
sbom_diff_risk.__version__with the package metadata. - Updated sample SARIF metadata to report
0.5.0. - Updated the README top-level release narrative for the v0.5.0 gate.
Not in this release
- No analyzer features were added.
- No SARIF behavior changes were added beyond sample metadata version alignment.
- No policy behavior changes were added.
- No hidden network behavior was added.
- No production PyPI publishing path was enabled.
sbom-diff-and-risk v0.4.1
v0.4.1
- release asset automation fix
- tag-path release publishing validation
- no CLI analysis changes
sbom-diff-and-risk v0.4.0
v0.4.0
Theme: release/distribution provenance hardening
Highlights
- Clarified the GitHub-hosted provenance story for
sbom-diff-and-riskworkflow-built artifacts and GitHub Release assets. - Kept workflow artifact attestation and GitHub Release verification as explicit, separate consumer verification surfaces.
- Documented PyPI Trusted Publishing readiness and sequencing, while intentionally not enabling PyPI publishing yet.
Verification story
- Workflow-built wheel and source distribution artifacts remain verifiable through
gh attestation verify. - Version-tag releases can publish those same built files as GitHub Release assets, with consumer guidance for
gh release verifyandgh release verify-asset. - Verification docs now point users more directly to the right path depending on whether they want to verify the tool itself or analyze third-party dependency provenance with the tool.
Packaging and release alignment
- Bumped the package version to
0.4.0. - Synced the README top-level version narrative with the
v0.4.0release hardening theme. - Updated example SARIF outputs and PyPI readiness notes to reference the
0.4.0package line consistently.
Not in this release
- No PyPI publishing is enabled yet.
- No new CLI analysis features were added.
- Default CLI behavior remains local and deterministic, with no hidden network access.
sbom-diff-and-risk v0.3.0
- opt-in PyPI provenance enrichment
- provenance-aware policy
- provenance-aware report/SARIF behavior
- self-provenance verification for workflow-built artifacts
sbom-diff-and-risk v0.2.0
Highlights
- policy-aware reporting and enforcement-oriented CLI behavior
- GitHub-compatible SARIF export with code scanning validation on
main - conservative parser tightening for deterministic local mode
sbom-diff-and-riskpackage version bumped to0.2.0
Verification
- local
python -m pytestpassed before release - GitHub code scanning analysis on
mainnow reports tool version0.2.0
v0.1.0
v0.1.0
- Added deterministic diffing for CycloneDX JSON, SPDX JSON, requirements.txt, and pyproject.toml
- Added conservative risk buckets for new packages, major upgrades, unknown licenses, suspicious sources, and opt-in future stale evaluation
- Added stable JSON/Markdown reporting with golden tests
- Clarified scope: no CVE matching, no hidden enrichment, no reputation scoring by default