Add provenance and SBOM support to Python SDK release workflow

[coderabbitai]

Overview

Enhance the Python SDK release workflow to include supply chain security features: provenance and Software Bill of Materials (SBOM) generation.

Background

During review of PR #264, it was identified that the release workflow should include:

1. Provenance: Cryptographic proof of how the package was built using GitHub's OIDC tokens
2. SBOM: Software Bill of Materials listing all dependencies for security scanning and compliance

Implementation Requirements

Provenance

• Add --provenance flag to uv publish command
• This will automatically generate and upload cryptographic signatures to PyPI
• Enables users to verify packages weren't tampered with and came from the official repo

SBOM Generation

• Generate requirements file: uv export --format=requirements-txt > requirements.txt
• Create SBOM using tools like cyclonedx-py or pip-audit
• Upload SBOM as workflow artifact and/or attach to GitHub release

Benefits

• Enhanced Security: Users can verify package authenticity
• Vulnerability Tracking: SBOMs enable automated security scanning
• Compliance: Meet enterprise requirements for software supply chain transparency
• Industry Best Practice: Aligns with modern software security standards

Acceptance Criteria

• uv publish --provenance flag added to release workflow
• SBOM generation integrated into workflow
• SBOM uploaded as workflow artifact
• Documentation updated to explain provenance/SBOM benefits
• Verify provenance appears correctly on PyPI

References

• Original discussion: Implement version check for beta indicator in publish workflow and adding release workflow #264 (comment)
• Related PR: Implement version check for beta indicator in publish workflow and adding release workflow #264
• Requested by: @NiveditJain

[NiveditJain]

We need to check if this is working as expected.