diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d0c89c8..ce20ae7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,7 @@ jobs:
   build-wheels:
     name: Build wheels on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    if: github.repository == 'williajm/forgery'
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
@@ -44,6 +45,7 @@ jobs:
   build-sdist:
     name: Build source distribution
     runs-on: ubuntu-latest
+    if: github.repository == 'williajm/forgery'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -62,6 +64,7 @@ jobs:
   sbom:
     name: Generate SBOM
     runs-on: ubuntu-latest
+    if: github.repository == 'williajm/forgery'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -89,12 +92,14 @@ jobs:
     name: Publish to PyPI
     needs: [build-wheels, build-sdist, sbom]
     runs-on: ubuntu-latest
+    if: github.repository == 'williajm/forgery'
     environment:
       name: pypi
       url: https://pypi.org/p/forgery
     permissions:
       id-token: write
       attestations: write
+      contents: write
 
     steps:
       - name: Download all artifacts
@@ -108,6 +113,14 @@ jobs:
         with:
           name: sbom
 
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist
+          sha256sum *.whl *.tar.gz > ../SHA256SUMS.txt
+          cd ..
+          echo "SHA256 checksums:"
+          cat SHA256SUMS.txt
+
       - name: Attest build provenance
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
@@ -123,3 +136,8 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: gh release upload "${{ github.ref_name }}" sbom.cdx.json --clobber
+
+      - name: Upload SHA256SUMS to GitHub Release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: gh release upload "${{ github.ref_name }}" SHA256SUMS.txt --clobber
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 1f7ddc6..97ffe60 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv pip compile pyproject.toml --extra dev --universal --generate-hashes -o requirements-dev.txt
+#    uv pip compile pyproject.toml --extra dev --universal --generate-hashes --exclude-newer 2026-04-11T00:00:00Z -o requirements-dev.txt
 bandit==1.9.4 \
     --hash=sha256:b589e5de2afe70bd4d53fa0c1da6199f4085af666fde00e8a034f152a52cd628 \
     --hash=sha256:f89ffa663767f5a0585ea075f01020207e966a9c0f2b9ef56a57c7963a3f6f8e
@@ -358,9 +358,9 @@ pygments==2.20.0 \
     # via
     #   pytest
     #   rich
-pytest==9.0.2 \
-    --hash=sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b \
-    --hash=sha256:75186651a92bd89611d1d9fc20f0b4345fd827c41ccd5c299a868a05d70edf11
+pytest==9.0.3 \
+    --hash=sha256:2c5efc453d45394fdd706ade797c0a81091eccd1d6e4bccfcd476e2b8e0ab5d9 \
+    --hash=sha256:b86ada508af81d19edeb213c681b1d48246c1a91d304c6c81a427674c17eb91c
     # via
     #   forgery (pyproject.toml)
     #   pytest-asyncio