jacksonpradolima · jacksonpradolima · Jan 1, 2026 · Dec 28, 2025 · Jan 1, 2026 · Jan 1, 2026
@@ -27,6 +27,10 @@ jobs:
           uv sync --frozen --extra dev
           uv pip install -e .
 
+      # Step 3.5: Ensure uv.lock is up-to-date
+      - name: Check lockfile freshness
+        run: uv lock --check --locked
+
       # Step 4: Get changed Python files
       - name: Get Python changed files
         id: changed-py-files

@@ -12,6 +12,7 @@ jobs:
       name: pypi
       url: https://pypi.org/project/gsppy/
     permissions:
+      contents: write
       id-token: write
     steps:
       - uses: actions/checkout@v6
@@ -30,5 +31,29 @@ jobs:
         run: |
           python -m build
 
+      - name: Install Syft
+        uses: anchore/sbom-action/[email protected]
+
+      - name: Generate SBOM (CycloneDX)
+        run: syft packages dist -o cyclonedx-json=sbom.json
+
+      - name: Install sigstore
+        run: python -m pip install sigstore
+
+      - name: Sign distributions
+        run: sigstore sign dist/*.whl dist/*.tar.gz
+
+      - name: Upload release assets
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*.whl
+            dist/*.tar.gz
+            dist/*.whl.sig
+            dist/*.tar.gz.sig
+            dist/*.whl.pem
+            dist/*.tar.gz.pem
+            sbom.json
+
       - name: Publish package distributions to PyPI
         uses: pypa/[email protected]
@@ -199,6 +199,28 @@ make bench-big           # run large benchmark
 > [!NOTE]
 > Tox in this project uses the "tox-uv" plugin. When running `make tox` or `tox`, missing Python interpreters can be provisioned automatically via uv (no need to pre-install all versions). This makes local setup faster.
 
+## 🔏 Release assets and verification
+
+Every GitHub release bundles artifacts to help you validate what you download:
+
+- Built wheels and source distributions produced by the automated publish workflow.
+- `sbom.json` (CycloneDX) generated with [Syft](https://github.com/anchore/syft).
+- Sigstore-generated `.sig` and `.pem` files for each artifact, created using GitHub OIDC identity.
+
+To verify a downloaded artifact from a release:
+
+```bash
+python -m pip install sigstore  # installs the CLI
+sigstore verify identity \
+  --certificate gsppy-<version>-py3-none-any.whl.pem \
+  --signature gsppy-<version>-py3-none-any.whl.sig \
+  --cert-identity "https://github.com/jacksonpradolima/gsp-py/.github/workflows/publish.yml@refs/tags/v<version>" \
+  --cert-oidc-issuer https://token.actions.githubusercontent.com \
+  gsppy-<version>-py3-none-any.whl
+```
+
+Replace `<version>` with the release tag and adjust the filenames for the sdist (`.tar.gz`) if preferred. The same release page also hosts `sbom.json` for supply-chain inspection.
+
 ## 💡 Usage
 
 The library is designed to be easy to use and integrate with your own projects. You can use GSP-Py either programmatically (Python API) or directly from the command line (CLI).