Release artifacts and verification¶

This page lists Weblate release artifacts and maintained distribution channels and explains how to verify the artifacts that include published signatures, attestations, and SBOMs. For supported versions and security update coverage, see Releases and supported versions. For dependency monitoring and container vulnerability scanning, see Dependências.

Release artifact inventory¶

Weblate releases and maintained distribution channels are published through several channels. This inventory lists the artifacts described by this repository and where their publishing evidence is maintained. For artifacts maintained in Weblate-owned sibling repositories, the table cites the repository where the build and release automation lives.

Artifact or channel	Owning repository or location	Publishing target	Repository evidence	Notes
Source releases and GitHub release assets	`WeblateOrg/weblate`	GitHub releases	`.github/workflows/setup.yml`, `scripts/create-release`, `scripts/prepare-release`, and Criando lançamento do Weblate	Release assets include Python distribution archives, release notes, and the release SBOM.
Python package	`pyproject.toml`, `setup.py`, and `MANIFEST.in`	weblate	The distribution workflow builds, validates, signs, and publishes the package using PyPI trusted publishing.	The package metadata and dependencies are maintained in this repository.
Docker images	Weblate Docker repository	Docker Hub and GitHub Packages Docker registry	Weblate Dockerfile, Weblate Docker image workflow, Weblate Docker container CI workflow, Instalando usando Docker, Criando lançamento do Weblate, and `security.yaml`	The workflow builds multi-architecture images, runs container tests, scans with Anchore and Trivy, and publishes to Docker Hub and GitHub Packages. Published image digests are signed with Cosign, and the build publishes BuildKit SBOM and provenance attestations.
Kubernetes Helm chart	Weblate Helm repository	Weblate Helm repository endpoint and Artifact Hub	Weblate Helm chart, Weblate Helm release workflow, Weblate Helm test workflow, Weblate Helm dependency review workflow, and Instalando no Kubernetes	The chart release workflow uses Helm chart-releaser on changes under `charts/**`. Chart testing lints and installs the chart. Chart signing, chart provenance, and chart SBOM evidence were not found in the inspected Helm workflows.
Documentação	`docs/`, `docs/conf.py`, and `.readthedocs.yml`	Weblate documentation	`.github/workflows/docs.yml` and `.readthedocs.yml`	Read the Docs project settings are not stored in this repository.
Weblate Client package and releases	Weblate Client repository	wlc and Weblate Client GitHub releases	Weblate Client distribution workflow, Weblate Client metadata, and Weblate Client	The workflow builds and validates source and wheel artifacts, publishes to PyPI using trusted publishing, creates GitHub releases for tags, attaches package SBOM files to GitHub releases, and creates package provenance and SBOM attestations.
Weblate Client Docker image	Weblate Client repository	Weblate Client Docker image and Weblate Client GHCR registry	Weblate Client Dockerfile, Weblate Client Docker workflow, and Weblate Client	The workflow builds multi-architecture images, tests the command-line client image, scans with Anchore and Trivy, and publishes to Docker Hub and GitHub Packages. Published image digests are signed with Cosign, CycloneDX image SBOMs are generated with Syft, and image provenance and SBOM attestations are pushed to the registries.

The development Docker files in dev-docker/ and the fuzzing container definitions in .clusterfuzzlite/ are development and testing infrastructure, not production release artifacts.

Docker Compose files, including the Weblate Docker Compose repository and local override examples, are example deployment configurations rather than release artifacts. Operators typically adapt them for their own deployments and update Weblate primarily by selecting or pulling Docker image tags. They are not covered by the release signatures, SBOMs, or provenance statements on this page.

Lista de materiais de software¶

Weblate publishes a Software Bill of Material (SBOM) using the CycloneDX format for released versions. The SBOM is available as a versioned weblate-<version>-sbom.cdx.json file in the GitHub release assets and is also attached to the release provenance using GitHub artifact attestations. This can be used to review the dependencies for security issues or license compliance.

The release SBOM records document-level metadata for the CISA 2025 minimum elements, including the SBOM author, software producer, generation tools, timestamp, generation context, and Weblate release component identity. Dependency component details are emitted by the ecosystem SBOM generators used during the release. Python component license and hash completeness therefore depends on CycloneDX export support in uv.

Verifying release artifacts¶

The Weblate release workflow publishes verification material for the Weblate Python source distribution and wheel in GitHub release assets. Release assets include the package archives, Sigstore signature bundles, release notes, and the release SBOM. The same package archives are uploaded to PyPI using trusted publishing, but the Sigstore bundle files are not uploaded to PyPI because the release workflow removes files not accepted by PyPI before publishing.

Verify the files downloaded from GitHub release assets when you need the published signatures, attestations, and SBOM. PyPI package files can be compared to the matching GitHub release assets by filename and digest.

Release signatures¶

Weblate package archives are cryptographically signed using Sigstore signatures. The signature bundles are attached to the GitHub release next to the signed .tar.gz and .whl files.

The verification can be performed using the sigstore package. The following example verifies the wheel from the 5.4 release; adjust the version and filenames for the release you are checking:

sigstore verify github \
   --cert-identity https://github.com/WeblateOrg/weblate/.github/workflows/setup.yml@refs/tags/weblate-5.4 \
   --bundle Weblate-5.4-py3-none-any.whl.sigstore \
   Weblate-5.4-py3-none-any.whl

Release attestations¶

The release workflow creates two kinds of GitHub artifact attestations for the package archives:

Build provenance attestations generated by .github/workflows/setup.yml using actions/attest-build-provenance.
SBOM attestations generated by .github/workflows/setup.yml using actions/attest with the CycloneDX release SBOM.

The attestations can be verified using gh. The following example checks the build provenance attestation for the 5.4 wheel:

gh attestation verify Weblate-5.4-py3-none-any.whl \
   --repo WeblateOrg/weblate \
   --source-ref refs/tags/weblate-5.4 \
   --signer-workflow WeblateOrg/weblate/.github/workflows/setup.yml

Use the CycloneDX predicate type to verify the SBOM attestation attached to the same package artifact:

gh attestation verify Weblate-5.4-py3-none-any.whl \
   --repo WeblateOrg/weblate \
   --source-ref refs/tags/weblate-5.4 \
   --signer-workflow WeblateOrg/weblate/.github/workflows/setup.yml \
   --predicate-type https://cyclonedx.org/bom

SBOM and checksums¶

The release SBOM is a CycloneDX JSON file named weblate-<version>-sbom.cdx.json and is attached to GitHub release assets. The SBOM attestation is attached to the package archives, not to the SBOM file as a separate release artifact.

Weblate does not currently publish a separate checksum manifest such as SHA256SUMS for release artifacts.

Other release channels¶

The release artifact inventory does not currently identify signatures, SBOMs, or provenance attestations for Helm charts. The verification instructions in this section apply to the Weblate Python release artifacts published by this repository. Docker image and Weblate Client supply-chain metadata is published by their owning repositories.