# MTG Python Deckbuilder v4.5.3

## Added
- **SBOM & supply chain provenance**: Every tagged release now attaches source SBOMs (SPDX + CycloneDX JSON) for Python dependencies and a CycloneDX container image SBOM to the GitHub Release assets. Build provenance attestations (SLSA-style) are published for the multi-arch Docker image via the GitHub Attestations API. `provenance: mode=max` is enabled on all arch builds.

### Verifying attestations

```bash
gh attestation verify oci://docker.io/mwisnowski/mtg-python-deckbuilder:latest \
  --repo mwisnowski/mtg_python_deckbuilder
```

### Inspecting an SBOM

```bash
syft convert sbom-source.cyclonedx.json -o table
```