diff --git a/.github/workflows/build_bundle.yml b/.github/workflows/build_bundle.yml
index 3914f33b..dfd05230 100644
--- a/.github/workflows/build_bundle.yml
+++ b/.github/workflows/build_bundle.yml
@@ -17,6 +17,16 @@ on:
         required: true
         type: string
         default: "Latest"
+    outputs:
+      commit:
+        description: "The commit that has been checked out"
+        value: ${{ jobs.build-bundle.outputs.commit }}
+      branch:
+        description: "The branch that has been checked out"
+        value: ${{ jobs.build-bundle.outputs.branch }}
+      attestation-url:
+        description: "The url to the attestations"
+        value: ${{ jobs.attest-bundle.outputs.attestation-url }}
   workflow_dispatch:
     inputs:
       build_type:
@@ -25,14 +35,26 @@ on:
         default: "Release"
 
 jobs:
-  build_bundle:
+  build-bundle:
     name: Build bundle
     runs-on: ubuntu-latest
+    outputs:
+      commit: ${{ steps.current-commit.outputs.commit }}
+      branch: ${{ steps.current-commit.outputs.branch }}
+      version: ${{ steps.output-version.outputs.version }}
 
     steps:
 
       - name: Checkout main repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
+
+      - name: Get current commit
+        id: current-commit
+        run: |
+          echo "commit=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+          echo "branch=$(git symbolic-ref HEAD)" >> $GITHUB_OUTPUT
+          echo "commit=$(git rev-parse HEAD)"
+          echo "branch=$(git symbolic-ref HEAD)"
 
       - name: Prepare Blender install
         uses: gerlero/apt-install@v1
@@ -65,6 +87,31 @@ jobs:
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
+        id: upload
         with:
           name: "BlendLuxCore"
           path: "${{ github.workspace }}/build/out/BlendLuxCore-*.zip"
+
+  attest-wheels:
+    needs: [build-bundle]
+    runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      id-token: write
+    outputs:
+      attestation-url: ${{ steps.attestation-step.outputs.attestation-url }}
+
+    steps:
+      - uses: actions/download-artifact@v7
+        if: ${{ !env.ACT }}
+        with:
+          pattern: BlendLuxCore*.zip
+          path: ${{ github.workspace }}/dist
+          merge-multiple: false
+
+      - name: Generate artifact attestations
+        id: attestation-step
+        if: ${{ !env.ACT }}
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: ${{ github.workspace }}/dist/*
diff --git a/.github/workflows/bundle_release.yml b/.github/workflows/bundle_release.yml
deleted file mode 100644
index d0258127..00000000
--- a/.github/workflows/bundle_release.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-# SPDX-FileCopyrightText: 2025 Howetuft
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-
-name: BlendLuxCore Create Release
-
-on:
-  release:
-    types:
-      - published
-
-jobs:
-  build_latest:
-    name: Build Latest Bundle
-    uses: ./.github/workflows/build_bundle.yml
-    with:
-      build_type: "Release"
-
-  create_release:
-    name: Create release
-    runs-on: ubuntu-latest
-    needs: build_latest
-    steps:
-
-      - name: Checkout main repository
-        uses: actions/checkout@v4
-
-      - name: Get Bundle
-        uses: actions/download-artifact@v4
-        with:
-          name: "BlendLuxCore"
-          path: "${{ github.workspace }}/download/"
-
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        if: github.event_name == 'release'
-        with:
-          files: "${{ github.workspace }}/download/BlendLuxCore-*.zip"
diff --git a/.github/workflows/release_bundle.yml b/.github/workflows/release_bundle.yml
new file mode 100644
index 00000000..4240c1f0
--- /dev/null
+++ b/.github/workflows/release_bundle.yml
@@ -0,0 +1,119 @@
+# SPDX-FileCopyrightText: 2024 Howetuft
+#
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: BlendLuxCore Create Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      release-version:
+        description: "Release version (major.minor.patch[-pre])"
+        required: True
+        default: ''
+        type: string
+      allow-updates:
+        description: "Update existing release (if any)"
+        required: True
+        type: boolean
+        default: True
+      rebuild-all:
+        description: "Rebuild all"
+        required: True
+        type: boolean
+        default: False
+
+jobs:
+  check-version:
+    name: 'Check version compliance'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check version compliance
+        if: ${{ inputs.release-version != '' }}
+        shell: python
+        run: |
+          import sys
+          import re
+          version = "${{ inputs.release-version }}"
+          semver_regex = r"^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+(?P<buildmetadata>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$"
+          res = re.fullmatch(semver_regex, version)
+          if res:
+            print("::notice::Version number OK ('{version}')")
+          else:
+            message = [
+              f"::error::INVALID RELEASE VERSION NUMBER '{version}'",
+              "Version must comply to Semantic Versioning standard:",
+              "\n\tmajor.minor.patch[-pre]\n",
+              "See https://semver.org for more information",
+              "or leave the field blank for default value\n"
+            ]
+            print("\n".join(message))
+            sys.exit(1)
+
+  call-build-bundle:
+    name: 'Build BlendLuxCore Bundle'
+    needs: [check-version]
+    uses: ./.github/workflows/build_bundle.yml
+    with:
+      build_type: Release
+
+  create-release:
+    name: 'Create release'
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    needs: [call-build-bundle]
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
+    steps:
+      - run: |
+          _version=${{ inputs.release-version }}
+          echo "Creating release '${_version}'"
+          echo "RELEASE_TAG=v${_version}" >> "$GITHUB_ENV"
+      - uses: actions/checkout@v6
+      - run: mkdir ${{ github.workspace }}/dist
+      - uses: actions/download-artifact@v7
+        with:
+          path: ${{ github.workspace }}/dist
+          merge-multiple: false
+
+      - name: Display structure of downloaded files
+        run: ls -Rl ${{ github.workspace }}/dist
+
+      #- name: Re-zip artifacts
+        #working-directory: ${{ github.workspace }}/dist
+        #run: |
+          #mkdir ../artifacts
+          #for d in */ ; do
+              #d2=${d%/}
+              #echo "zip ${d2}"
+              #zip -j ../artifacts/${d2}.zip ${d2}/*
+          #done
+
+      - id: make-release
+        # Use full length commit SHA, otherwise CodeQL complains...
+        uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87
+        with:
+          name: "BlendLuxCore ${{ env.RELEASE_TAG }}"
+          tag: ${{ env.RELEASE_TAG }}
+          artifacts: ${{ github.workspace }}/dist/*
+          removeArtifacts: true
+          allowUpdates: ${{ inputs.allow-updates }}
+          draft: true
+          token: ${{ secrets.GITHUB_TOKEN }}
+          updateOnlyUnreleased: true
+          body: |
+            ## BlendLuxCore
+
+            This release was built from the following point in LuxCoreRender/BlendLuxCore:
+            - Branch: ${{ needs.call-build-bundle.outputs.branch }}
+            - Commit: ${{ needs.call-build-bundle.outputs.commit }}
+
+            Attestations:
+            ${{ needs.call-build-bundle.outputs.attestation-url }}
+
+      - run: |
+          echo "### Release""" >> $GITHUB_STEP_SUMMARY
+          echo ${{ steps.make-release.outputs.html_url }} >> $GITHUB_STEP_SUMMARY