feat: add SBOM generation and build provenance attestation to release workflows (#69)

* feat: add SBOM generation and build provenance attestation to release workflows

* docs: update release notes template with SBOM unreleased entry

README.md

@@ -34,6 +34,7 @@ A web-first Commander/EDH deckbuilder with a shared core for CLI, headless, and
 - [Development setup](#development-setup)
 - [Troubleshooting](#troubleshooting)
 - [Contributing](#contributing)
+- [Supply chain security](#supply-chain-security)
 - [License & attribution](#license--attribution)
 - [Further reading](#further-reading)
 
@@ -446,6 +447,30 @@ Pull requests are welcome—follow the conventional commit style, keep diffs foc
 
 ---
 
+## Supply chain security
+Every tagged release includes SBOM (Software Bill of Materials) files attached to the GitHub Release assets:
+
+| File | Format | Contents |
+|------|--------|----------|
+| `sbom-source.spdx.json` | SPDX 2.x JSON | Python dependency tree from source |
+| `sbom-source.cyclonedx.json` | CycloneDX JSON | Python dependency tree from source |
+| `sbom-image-vX.Y.Z.cyclonedx.json` | CycloneDX JSON | Full container image (OS + app) |
+
+Build provenance attestations are published to the GitHub Attestations API for the multi-arch container image. To verify:
+
+```bash
+gh attestation verify oci://docker.io/mwisnowski/mtg-python-deckbuilder:latest \
+  --repo mwisnowski/mtg_python_deckbuilder
+```
+
+To inspect an SBOM locally (requires [Syft](https://github.com/anchore/syft)):
+
+```bash
+syft convert sbom-source.cyclonedx.json -o table
+```
+
+---
+
 ## License & attribution
 Licensed under the [MIT License](LICENSE). Card data and imagery are provided by [Scryfall](https://scryfall.com); please respect their [API terms](https://scryfall.com/docs/api).