diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 3f67be8b..8e2b12c7 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -74,6 +74,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write       # for sigstore signing via GitHub OIDC
+      attestations: write   # for actions/attest-build-provenance
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
@@ -257,6 +259,21 @@ jobs:
 
           cat CHANGELOG.md
 
+      - name: Generate SBOM (SPDX-JSON)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          path: .
+          format: spdx-json
+          artifact-name: rox-${{ needs.auto-tag.outputs.version }}.spdx.json
+          output-file: rox-${{ needs.auto-tag.outputs.version }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: rox-${{ needs.auto-tag.outputs.version }}.spdx.json
+
       - name: Create Release
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
@@ -265,5 +282,7 @@ jobs:
           body_path: CHANGELOG.md
           prerelease: ${{ steps.check.outputs.is_prerelease }}
           draft: false
+          files: |
+            rox-${{ needs.auto-tag.outputs.version }}.spdx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 32be4490..f562644a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,6 +41,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write       # for sigstore signing via GitHub OIDC
+      attestations: write   # for actions/attest-build-provenance
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.0
@@ -257,6 +259,21 @@ jobs:
 
           cat CHANGELOG.md
 
+      - name: Generate SBOM (SPDX-JSON)
+        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
+        with:
+          path: .
+          format: spdx-json
+          artifact-name: rox-${{ steps.version.outputs.version }}.spdx.json
+          output-file: rox-${{ steps.version.outputs.version }}.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+
+      - name: Attest SBOM provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: rox-${{ steps.version.outputs.version }}.spdx.json
+
       - name: Create Release
         uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
@@ -266,5 +283,7 @@ jobs:
           prerelease: ${{ steps.check.outputs.is_prerelease }}
           draft: false
           generate_release_notes: false
+          files: |
+            rox-${{ steps.version.outputs.version }}.spdx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
index f3a37c09..3a59f6fb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -94,5 +94,9 @@ docker/certs/*-key.pem
 # cipher data
 cipherdata/
 cipher.yml
+
 # Jujutsu
 .jj/
+
+# Playwright MCP snapshots / screenshots (test artifacts)
+.playwright-mcp/