This project implements several security measures to protect against supply chain attacks:

All GitHub Actions are pinned to immutable SHA commit hashes instead of mutable version tags.

Why this matters:

• Version tags like @v4 can be moved by attackers who compromise a repository
• SHA commits are cryptographically immutable - they cannot be changed
• This protects against tag poisoning attacks

Example:

# ❌ INSECURE - Tag can be moved
- uses: actions/checkout@v4

# ✅ SECURE - SHA is immutable
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

Dependabot automatically monitors and updates our pinned GitHub Actions:

• Weekly scans for security updates
• Automated pull requests for new versions
• Groups related updates to reduce PR noise

See .github/dependabot.yml for configuration.

Workflows use the principle of least privilege:

permissions:
  contents: write      # Only what's needed
  id-token: write      # For future SLSA provenance

Default GITHUB_TOKEN permissions are restricted to only what each job requires.

• Secrets are managed via 1Password Service Accounts
• Tokens are scoped per-step to minimize exposure
• Warning: Current implementation exposes service account token to all steps (see Line 28 in release.yml)

Recommended improvement:

with:
  export-env: true
  unset-previous: true  # Clear secrets after use

Please report security vulnerabilities to the repository maintainers privately.

Do not open public issues for security vulnerabilities.

See Phase 2 Security Improvements for planned enhancements:

• SLSA provenance generation
• Artifact signing with Sigstore
• Dependency verification
• Enhanced secret scoping