release: v0.7.0 — GitLab CI integration + adoption polish

.github/ISSUE_TEMPLATE/action-broke.md

@@ -36,6 +36,6 @@ failure is usually obvious if you expand all groups. -->
 
 ## Environment
 
-- **bomdrift version pin**: `@v1` / `@v0.6.1` / `@<sha>`
+- **bomdrift version pin**: `@v1` / `@v0.7.0` / `@<sha>`
 - **Runner**: <ubuntu-latest / self-hosted / etc.>
 - **Trigger event**: <pull_request / push / workflow_dispatch / etc.>

CHANGELOG.md

@@ -7,6 +7,96 @@ project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.7.0] - 2026-04-30
+
+The "broaden the platform, polish the edges" milestone. v0.7 takes the
+v0.6 policy-config foundation and adds GitLab CI as a first-class
+target, closes the open issue backlog around adoption pain points,
+and lays groundwork for calibration tuning.
+
+### Added
+
+- **GitLab CI integration.** `bomdrift diff` now renders a
+  GitLab-shaped MR-note footer when `--platform gitlab` is set (or
+  when `GITLAB_CI=true` is auto-detected). A copy-paste-ready
+  template ships under `examples/gitlab-ci/` with a diff job
+  (curl + jq upsert against the GitLab notes API), a manual
+  suppression job, and a setup README covering the two-token model
+  and Self-Managed considerations. Full chapter at
+  [docs/src/gitlab-ci.md](docs/src/gitlab-ci.md).
+
+- **`--platform <github|gitlab>` flag** on `bomdrift diff` (also
+  loadable from `[diff] platform = "..."` in `.bomdrift.toml`).
+  Default is auto-detection from the CI environment with `github`
+  as the fallback. Explicit flag always wins.
+
+- **CI auto-detection on GitLab.** When `GITLAB_CI=true` is set,
+  bomdrift selects the GitLab footer shape; when `CI_PROJECT_URL`
+  is set and `--repo-url` / `BOMDRIFT_REPO_URL` are unset, it's
+  used as the footer link target.
+
+- **`--debug-calibration` flag.** Off by default. When set, the
+  diff command emits one pipe-delimited record per finding to
+  stderr (`kind|key|score|threshold`). Lets adopters dump a
+  calibration sample across many PRs and feed back tuning data on
+  `SIMILARITY_THRESHOLD`, `YOUNG_MAINTAINER_DAYS`, etc. No
+  telemetry — the user owns the file.
+
+- **Typosquat top-package data top-up** for Go (+35 entries from
+  CNCF / HashiCorp / gRPC ecosystem / awesome-go), Composer (+43
+  from Symfony / Laravel / Doctrine / testing communities), and
+  Gem (+44 from Rails ecosystem / dry-rb / API serializers).
+  Closes #6, #7, #8.
+
+### Changed
+
+- **Markdown renderer is now platform-aware.** Backward compatible:
+  the GitHub footer shape is preserved byte-for-byte for existing
+  callers. New `MarkdownOpts.platform` field controls the
+  switch; `Default` resolves to GitHub.
+
+- **Better "scan path not found" error in the GitHub Action.**
+  `entrypoint.sh` now lists what was actually checked out and
+  links to the new monorepo docs section instead of the prior
+  one-line "no such file" error. Closes #11.
+
+### Docs
+
+- **GitLab CI chapter** (`docs/src/gitlab-ci.md`) — quickstart,
+  token model, suppression paths, Self-Managed notes, what's
+  scoped out for v0.7.
+- **False-positive triage worked example** in
+  `docs/src/baseline.md` (a typosquat misfire with the exact
+  baseline entry that suppresses it). Closes #12.
+- **Monorepo setup section** in `docs/src/github-action.md`
+  covering matrix-per-service patterns and shared-baseline
+  pattern. Closes #9.
+- **Action-broke troubleshooting checklist** in
+  `docs/src/github-action.md` covering the top-N failure modes.
+  Closes #13.
+- **CLI reference** updated for `--platform`,
+  `--debug-calibration`, and the new `BOMDRIFT_REPO_URL` /
+  `GITLAB_CI` / `CI_PROJECT_URL` environment variables.
+
+### Tests
+
+- Regression test for `BOMDRIFT_REPO_URL` env-var → footer URL
+  plumbing (#10) — previously only the rendering function was
+  unit-tested, not the env-to-option plumbing in `lib.rs`.
+- E2E tests for `GITLAB_CI` auto-detection and `--platform`
+  override.
+- Smoke test for `--debug-calibration` stderr output.
+
+### Scope notes
+
+In-comment suppression on GitLab (`/bomdrift suppress <ID>` in an
+MR note) is **deferred to v0.8**. GitLab note webhooks have a
+different model than GitHub PR comments, and the safe wiring
+(rate-limit, fork-MR safety, command parsing, double-trigger
+debouncing) is materially harder. v0.7 ships the manual-job path
+in `examples/gitlab-ci/suppress.gitlab-ci.yml`, which covers the
+same user need without standing up a webhook handler.
+
 ## [0.6.1] - 2026-04-29
 
 ### Fixed

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "bomdrift"
-version = "0.6.1"
+version = "0.7.0"
 edition = "2024"
 rust-version = "1.85"
 description = "SBOM diff with supply-chain risk signals (CVEs, typosquats, maintainer-age)."

README.md

@@ -81,7 +81,7 @@ jobs:
         #   verify-signatures: true   (set false on trusted mirrors)
 ```
 
-Pin to `@v1` for the latest v0.x; pin to `@v0.6.1` for reproducible builds. Run `bomdrift init` if you want a checked-in `.bomdrift.toml` policy and both workflows scaffolded locally. See the [Action reference](https://metbcy.github.io/bomdrift/github-action.html) for every input.
+Pin to `@v1` for the latest v0.x; pin to `@v0.7.0` for reproducible builds. Run `bomdrift init` if you want a checked-in `.bomdrift.toml` policy and both workflows scaffolded locally. See the [Action reference](https://metbcy.github.io/bomdrift/github-action.html) for every input.
 
 #### Optional: in-comment suppression (v0.5+)
 
@@ -112,7 +112,7 @@ Comment `/bomdrift suppress GHSA-xxxx` on any PR; the sub-action appends to `.bo
 Pre-built binaries cover Linux x86_64 + aarch64, macOS aarch64, and Windows x86_64. Each archive is cosign-signed via Sigstore + GitHub OIDC.
 
 ```bash
-VERSION=v0.6.1
+VERSION=v0.7.0
 TARGET=x86_64-unknown-linux-gnu
 curl -sSL -o bomdrift.tar.gz \
   "https://github.com/Metbcy/bomdrift/releases/download/${VERSION}/bomdrift-${VERSION}-${TARGET}.tar.gz"
@@ -128,7 +128,7 @@ Verify the archive's signature before you trust the binary — see [Release sign
 ### From source
 
 ```bash
-cargo install --locked --git https://github.com/Metbcy/bomdrift --tag v0.6.1 bomdrift
+cargo install --locked --git https://github.com/Metbcy/bomdrift --tag v0.7.0 bomdrift
 ```
 
 Requires Rust 1.85+ (the project uses edition 2024).
@@ -230,7 +230,7 @@ Every release archive is signed with cosign keyless via Sigstore (GitHub OIDC).
 
 ```bash
 # Replace VERSION + TARGET with your downloaded archive's pair
-VERSION=v0.6.1
+VERSION=v0.7.0
 TARGET=x86_64-unknown-linux-gnu
 ARCHIVE=bomdrift-${VERSION}-${TARGET}.tar.gz
 

STATUS.md

@@ -11,9 +11,10 @@ keeping the project OSS-first: no hosted dashboard, no account, no telemetry.
 | GitHub.com pull requests | Supported through `Metbcy/bomdrift@v1` |
 | Local CLI | Supported on Linux x86_64/aarch64, macOS aarch64, Windows x86_64 |
 | SBOM formats | CycloneDX JSON, SPDX JSON, Syft JSON |
-| In-comment suppression | Supported through `Metbcy/bomdrift/comment-suppress@v1` |
+| In-comment suppression (GitHub) | Supported through `Metbcy/bomdrift/comment-suppress@v1` |
+| GitLab CI merge requests | Supported through the `examples/gitlab-ci/` template (v0.7+); in-comment suppression deferred to v0.8 |
 | GitHub Enterprise / self-hosted runners | Expected to work, not broadly tested yet |
-| GitLab / Bitbucket | Not supported |
+| Bitbucket | Not supported |
 | Hosted dashboard / SaaS | Not planned |
 
 ## Known limitations

data/composer-top200.txt

@@ -136,3 +136,56 @@ roots/wordpress
 wpackagist-plugin/jetpack
 wpackagist-plugin/wordpress-seo
 wpackagist-plugin/akismet
+
+# --- v0.7 top-up: Symfony components (source: packagist.org top installs) ---
+symfony/security-bundle
+symfony/security-core
+symfony/form
+symfony/messenger
+symfony/mailer
+symfony/framework-bundle
+symfony/options-resolver
+symfony/config
+symfony/dotenv
+symfony/error-handler
+symfony/css-selector
+symfony/dom-crawler
+symfony/expression-language
+
+# --- v0.7 top-up: Laravel ecosystem (source: packagist.org top installs) ---
+laravel/sail
+laravel/pint
+laravel/telescope
+laravel/octane
+laravel/dusk
+laravel/serializable-closure
+
+# --- v0.7 top-up: Doctrine (source: packagist.org top installs) ---
+doctrine/migrations
+doctrine/doctrine-bundle
+doctrine/persistence
+doctrine/event-manager
+doctrine/deprecations
+
+# --- v0.7 top-up: testing & static analysis (source: packagist.org top installs) ---
+behat/behat
+phpspec/phpspec
+infection/infection
+rector/rector
+phpmd/phpmd
+
+# --- v0.7 top-up: misc popular (source: packagist.org top installs) ---
+nesbot/carbon
+predis/predis
+intervention/image
+aws/aws-sdk-php
+vlucas/phpdotenv
+erusev/parsedown
+dompdf/dompdf
+phpoffice/phpspreadsheet
+maatwebsite/excel
+barryvdh/laravel-debugbar
+barryvdh/laravel-ide-helper
+league/fractal
+league/route
+mtdowling/jmespath.php

data/gem-top200.txt

@@ -183,3 +183,63 @@ good_job
 solid_queue
 mailcatcher
 resque-scheduler
+
+# --- v0.7 top-up: Rails ecosystem extras (source: rubygems.org top downloads) ---
+jbuilder
+bootsnap
+spring
+web-console
+rack-cors
+responders
+friendly_id
+aasm
+annotate
+letter_opener
+rails-html-sanitizer
+rails-i18n
+
+# --- v0.7 top-up: testing (source: rubygems.org top downloads) ---
+minitest
+minitest-reporters
+shoulda-matchers
+timecop
+pry-rails
+pry-doc
+
+# --- v0.7 top-up: dotenv / config (source: rubygems.org top downloads) ---
+dotenv
+dotenv-rails
+foreman
+
+# --- v0.7 top-up: API / serializers (source: rubygems.org top downloads) ---
+jsonapi-serializer
+active_model_serializers
+alba
+grape
+grape-entity
+rswag
+
+# --- v0.7 top-up: cache / jobs / KV (source: rubygems.org top downloads) ---
+connection_pool
+dalli
+redis-namespace
+sneakers
+sucker_punch
+
+# --- v0.7 top-up: search / admin (source: rubygems.org top downloads) ---
+searchkick
+pg_search
+activeadmin
+administrate
+
+# --- v0.7 top-up: dry-rb / utility (source: rubygems.org top downloads) ---
+dry-validation
+dry-types
+dry-struct
+dry-monads
+
+# --- v0.7 top-up: documents / files (source: rubygems.org top downloads) ---
+prawn
+caxlsx
+roo
+pdf-reader

data/go-top200.txt

@@ -141,3 +141,48 @@ github.com/cli/cli
 github.com/charmbracelet/bubbletea
 github.com/charmbracelet/lipgloss
 github.com/charmbracelet/glamour
+
+# --- v0.7 top-up: CNCF / containers (source: cncf.io graduated + sandbox lists) ---
+github.com/containerd/containerd
+github.com/opencontainers/runc
+github.com/opencontainers/image-spec
+github.com/argoproj/argo-cd
+github.com/fluxcd/flux2
+github.com/istio/istio
+github.com/cilium/cilium
+github.com/grafana/grafana
+github.com/grafana/loki
+github.com/jaegertracing/jaeger
+github.com/open-telemetry/opentelemetry-collector
+github.com/thanos-io/thanos
+github.com/minio/minio
+github.com/minio/minio-go
+
+# --- v0.7 top-up: HashiCorp (source: github.com/hashicorp top repos) ---
+github.com/hashicorp/terraform
+github.com/hashicorp/vault
+github.com/hashicorp/consul
+github.com/hashicorp/nomad
+github.com/hashicorp/hcl
+github.com/hashicorp/raft
+
+# --- v0.7 top-up: gRPC ecosystem (source: github.com/grpc-ecosystem) ---
+github.com/grpc-ecosystem/grpc-gateway
+github.com/grpc-ecosystem/go-grpc-middleware
+github.com/twitchtv/twirp
+
+# --- v0.7 top-up: data / search / storage (source: awesome-go databases) ---
+github.com/elastic/go-elasticsearch
+github.com/cockroachdb/cockroach
+github.com/cockroachdb/pebble
+github.com/influxdata/influxdb
+github.com/syndtr/goleveldb
+
+# --- v0.7 top-up: utility / awesome-go (source: awesome-go popular libs) ---
+github.com/klauspost/compress
+github.com/cespare/xxhash
+github.com/yuin/goldmark
+github.com/PuerkitoBio/goquery
+github.com/google/cel-go
+go.uber.org/goleak
+github.com/DATA-DOG/go-sqlmock

docs/src/SUMMARY.md

@@ -6,6 +6,7 @@
 
 - [Quickstart](./quickstart.md)
 - [GitHub Action](./github-action.md)
+- [GitLab CI](./gitlab-ci.md)
 - [CLI reference](./cli-reference.md)
 
 # Output