From 754b2cd4ec8d98c07d99348e01aca3e156f942a5 Mon Sep 17 00:00:00 2001
From: stacknil <stacknil@proton.me>
Date: Mon, 4 May 2026 16:35:48 +0800
Subject: [PATCH] Add checked-in GitHub Actions consumer workflow example

---
 tools/sbom-diff-and-risk/README.md            |  1 +
 .../docs/github-actions-consumer-example.md   |  3 +
 .../examples/github-actions-consumer.yml      | 85 +++++++++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100644 tools/sbom-diff-and-risk/examples/github-actions-consumer.yml

diff --git a/tools/sbom-diff-and-risk/README.md b/tools/sbom-diff-and-risk/README.md
index 7162046..b81cd2d 100644
--- a/tools/sbom-diff-and-risk/README.md
+++ b/tools/sbom-diff-and-risk/README.md
@@ -276,6 +276,7 @@ The [examples/](examples/) directory includes:
 - a Scorecard-aware policy example at `examples/policy-scorecard-minimal.yml`
 - a sample pass JSON report at [sample-report.json](examples/sample-report.json)
 - a sample summary-only JSON artifact at [sample-summary.json](examples/sample-summary.json)
+- a consumer GitHub Actions workflow example at [github-actions-consumer.yml](examples/github-actions-consumer.yml)
 - a sample pass Markdown report at [sample-report.md](examples/sample-report.md)
 - sample policy-warn reports at [sample-policy-warn-report.json](examples/sample-policy-warn-report.json) and [sample-policy-warn-report.md](examples/sample-policy-warn-report.md)
 - sample policy-fail reports at [sample-policy-fail-report.json](examples/sample-policy-fail-report.json) and [sample-policy-fail-report.md](examples/sample-policy-fail-report.md)
diff --git a/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md b/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md
index 8fe7ff2..8fad5c6 100644
--- a/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md
+++ b/tools/sbom-diff-and-risk/docs/github-actions-consumer-example.md
@@ -18,6 +18,9 @@ an explicit local threshold to `summary.json`, and uploads the outputs as CI
 artifacts.
 
 Replace the placeholder input paths with files from the consumer repository.
+The same workflow is also checked in as
+[../examples/github-actions-consumer.yml](../examples/github-actions-consumer.yml)
+for copying into consumer repositories.
 
 ```yaml
 name: Dependency diff review
diff --git a/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml b/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml
new file mode 100644
index 0000000..a8c550a
--- /dev/null
+++ b/tools/sbom-diff-and-risk/examples/github-actions-consumer.yml
@@ -0,0 +1,85 @@
+# Example only.
+# Copy this file into a consumer repository under .github/workflows/ if useful.
+# This repository does not run this file as a workflow.
+# Production PyPI publishing for sbom-diff-and-risk is intentionally deferred;
+# install from a GitHub Release asset or local checkout instead.
+
+name: Dependency diff review
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-diff:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out consumer repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.x"
+
+      - name: Download sbom-diff-and-risk release wheel
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          mkdir -p .tooling/sbom-diff-risk
+          gh release download v0.6.0 \
+            --repo stacknil/scientific-computing-toolkit \
+            --pattern "sbom_diff_and_risk-0.6.0-py3-none-any.whl" \
+            --dir .tooling/sbom-diff-risk
+
+      - name: Install sbom-diff-risk
+        run: |
+          python -m pip install \
+            .tooling/sbom-diff-risk/sbom_diff_and_risk-0.6.0-py3-none-any.whl
+
+      - name: Compare dependency evidence
+        run: |
+          mkdir -p outputs
+          sbom-diff-risk compare \
+            --before path/to/before-sbom.json \
+            --after path/to/after-sbom.json \
+            --format auto \
+            --out-json outputs/report.json \
+            --out-md outputs/report.md \
+            --summary-json outputs/summary.json \
+            --out-sarif outputs/report.sarif
+
+      - name: Apply local summary threshold
+        run: |
+          python - <<'PY'
+          import json
+          from pathlib import Path
+
+          summary = json.loads(
+              Path("outputs/summary.json").read_text(encoding="utf-8")
+          )
+          risk_counts = summary["risk_counts"]
+
+          max_new_packages = 2
+          new_package_count = risk_counts.get("new_package", 0)
+          print(f"new_package={new_package_count}")
+
+          if new_package_count > max_new_packages:
+              raise SystemExit(
+                  f"new_package count exceeds local threshold: {max_new_packages}"
+              )
+          PY
+
+      - name: Upload dependency diff outputs
+        uses: actions/upload-artifact@v7
+        with:
+          name: dependency-diff-outputs
+          path: |
+            outputs/report.json
+            outputs/report.md
+            outputs/summary.json
+            outputs/report.sarif