chore: prepare release 4.5.3

.env.example

@@ -13,7 +13,7 @@
 # HOST=0.0.0.0                       # Uvicorn bind host (only when APP_MODE=web).
 # PORT=8080                          # Uvicorn port.
 # WORKERS=1                          # Uvicorn worker count.
-APP_VERSION=v4.5.2                 # Matches dockerhub compose.
+APP_VERSION=v4.5.3                 # Matches dockerhub compose.
 
 ############################
 # Theming

CHANGELOG.md

@@ -8,6 +8,9 @@ This format follows Keep a Changelog principles and aims for Semantic Versioning
 - Link PRs/issues inline when helpful, e.g., (#123) or [#123]. Reference-style links at the bottom are encouraged for readability.
 
 ## [Unreleased]
+_No unreleased changes yet._
+
+## [4.5.3] - 2026-04-02
 ### Added
 - **SBOM & supply chain provenance**: Every tagged release now attaches source SBOMs (SPDX + CycloneDX JSON) for Python dependencies and a CycloneDX container image SBOM to the GitHub Release assets. Build provenance attestations (SLSA-style) are published for the multi-arch Docker image via the GitHub Attestations API. `provenance: mode=max` is enabled on all arch builds.
 

RELEASE_NOTES_TEMPLATE.md

@@ -1,6 +1,9 @@
 # MTG Python Deckbuilder
 
 ## [Unreleased]
+_No unreleased changes yet._
+
+## [4.5.3] - 2026-04-02
 ### Added
 - **SBOM & supply chain provenance**: Every tagged release now attaches source SBOMs (SPDX + CycloneDX JSON) for Python dependencies and a CycloneDX container image SBOM to the GitHub Release assets. Build provenance attestations (SLSA-style) are published for the multi-arch Docker image via the GitHub Attestations API. `provenance: mode=max` is enabled on all arch builds.
 

docker-compose.yml

@@ -144,7 +144,7 @@ services:
       # WEB_THEME_FILTER_PREWARM: "0"
       WEB_AUTO_ENFORCE: "0"         # 1=auto-run compliance export after builds
       WEB_CUSTOM_EXPORT_BASE: ""    # Optional: custom base dir for deck export artifacts
-      APP_VERSION: "v4.5.2"         # Displayed version label (set per release/tag)
+      APP_VERSION: "v4.5.3"         # Displayed version label (set per release/tag)
 
       # ------------------------------------------------------------------
       # Misc / Land Selection (Step 7) Environment Tuning

dockerhub-docker-compose.yml

@@ -146,7 +146,7 @@ services:
       # WEB_THEME_FILTER_PREWARM: "0"
       WEB_AUTO_ENFORCE: "0"         # 1=auto-run compliance export after builds
       WEB_CUSTOM_EXPORT_BASE: ""    # Optional: custom base dir for deck export artifacts
-      APP_VERSION: "v4.5.2"         # Displayed version label (set per release/tag)
+      APP_VERSION: "v4.5.3"         # Displayed version label (set per release/tag)
 
       # ------------------------------------------------------------------
       # Misc / Land Selection (Step 7) Environment Tuning

docs/releases/v4.5.3.md

@@ -0,0 +1,17 @@
+# MTG Python Deckbuilder v4.5.3
+
+## Added
+- **SBOM & supply chain provenance**: Every tagged release now attaches source SBOMs (SPDX + CycloneDX JSON) for Python dependencies and a CycloneDX container image SBOM to the GitHub Release assets. Build provenance attestations (SLSA-style) are published for the multi-arch Docker image via the GitHub Attestations API. `provenance: mode=max` is enabled on all arch builds.
+
+### Verifying attestations
+
+```bash
+gh attestation verify oci://docker.io/mwisnowski/mtg-python-deckbuilder:latest \
+  --repo mwisnowski/mtg_python_deckbuilder
+```
+
+### Inspecting an SBOM
+
+```bash
+syft convert sbom-source.cyclonedx.json -o table
+```

pyproject.toml

@@ -5,7 +5,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mtg-deckbuilder"
-version = "4.5.2"
+version = "4.5.3"
 description = "A command-line tool for building and analyzing Magic: The Gathering decks"
 readme = "README.md"
 license = {file = "LICENSE"}