[codex] Add release artifact checksum manifest

[stacknil]

Brief Design Summary

This PR adds a deterministic checksum manifest for sbom-diff-and-risk release artifacts.

The tag-gated release path now generates sbom-diff-and-risk-SHA256SUMS.txt after building the wheel and sdist. The manifest is filename-sorted, included in the workflow artifact, and uploaded alongside the GitHub Release assets on v* tag pushes.

This adds a simple reviewer/consumer verification layer next to the existing GitHub artifact attestation and release provenance story. It does not change CLI behavior, package metadata, TestPyPI behavior, production PyPI status, or release tags.

Files Changed

• .github/workflows/sbom-diff-and-risk-ci.yml
• tools/sbom-diff-and-risk/README.md
• tools/sbom-diff-and-risk/docs/release-provenance.md
• tools/sbom-diff-and-risk/docs/reviewer-evidence-pack.md
• tools/sbom-diff-and-risk/docs/verification.md

Validation

Local validation completed:

python -m build
python -m twine check dist\*.whl dist\*.tar.gz
git diff --check

The local checksum manifest included both expected files, in deterministic filename order:

sbom_diff_and_risk-0.5.0-py3-none-any.whl
sbom_diff_and_risk-0.5.0.tar.gz

PowerShell Get-FileHash verification passed locally.

Additional checks:

• release publishing remains tag-gated on refs/tags/v
• TestPyPI workflow still defaults to no-publish
• no production PyPI workflow exists
• package version remains unchanged
• no CLI behavior changed
• release upload no longer uses gh release upload --clobber
• attestation subject remains the built wheel and source distribution; the manifest verifies their hashes and is documented as local byte-integrity evidence, not as a replacement for provenance

Out of Scope

• No CLI changes
• No package version bump
• No new GitHub Release
• No production PyPI workflow
• No TestPyPI behavior change
• No immutable release enablement

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bce65667a6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep release upload idempotent for draft reruns

The publish step now calls gh release upload without --clobber, which makes tag-job reruns fail when a draft release already contains assets with the same filenames (for example after a partial prior run). GitHub CLI documents --clobber as the way to overwrite same-name assets, so removing it turns a previously recoverable rerun path into a hard failure before gh release edit can publish the draft.

Useful? React with 👍 / 👎.