dfetch-org · spoorcc · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -52,6 +52,14 @@ jobs:
       run: python3 -m build
     - name: Generate SBOM for Python distribution
       run: python script/create_sbom.py --py --output-dir dist-sbom
+    - name: Generate OSCAL Component Definition
+      run: |
+        mkdir -p dist-oscal
+        VERSION=$(python -c "import importlib.metadata; print(importlib.metadata.version('dfetch'))")
+        python -m security.compliance \
+          --component dist-oscal/dfetch.component-definition.json \
+          --version "$VERSION" \
+          --track-b-only
     - name: Store the distribution packages
       uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
       with:
@@ -73,6 +81,15 @@ jobs:
       with:
         name: python-sbom
         path: dist-sbom/
+    - name: Attest OSCAL build provenance
+      uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+      with:
+        subject-path: dist-oscal/dfetch.component-definition.json
+    - name: Store the OSCAL Component Definition
+      uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      with:
+        name: oscal-component-definition
+        path: dist-oscal/
 
   publish-to-testpypi:
     name: Publish Python distribution 📦 to TestPyPI
@@ -131,10 +148,17 @@ jobs:
       with:
         name: python-sbom
         path: dist-sbom/
-    - name: Upload SBOM to GitHub Release
+    - name: Download OSCAL Component Definition
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: oscal-component-definition
+        path: dist-oscal/
+    - name: Upload SBOM and OSCAL to GitHub Release
       uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v2.5.0
       with:
         tag_name: ${{ github.event.release.tag_name }}
-        files: dist-sbom/*
+        files: |
+          dist-sbom/*
+          dist-oscal/*
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,5 +1,13 @@
+Release 0.15.0 (unreleased)
+============================
+
+* Add CRA Compliance Track B: OSCAL 1.1.2 Component Definition mapping all CRA Annex I Part I
+  essential requirements (ECR-a–m) through prEN 40000-1-4 Security Objectives to dfetch controls;
+  covers Part II via prEN 40000-1-3; introduces controls C-043 (release-gate CVE check), C-044
+  (data minimisation policy), and C-046 (exploit mitigation inventory)
+
 Release 0.14.0 (released 2026-06-14)
-===========================
+====================================
 
 * Update Winget manifest to the Windows Package Manager Community Repository on new release (#1263)
 * Check for new dfetch version during ``dfetch check`` & ``dfetch environment`` (#1262)