diff --git a/.charter/config.json b/.charter/config.json
new file mode 100644
index 0000000..458cb6e
--- /dev/null
+++ b/.charter/config.json
@@ -0,0 +1,8 @@
+{
+  "drift": {
+    "enabled": true,
+    "include": [
+      ".github/workflows/*.yml"
+    ]
+  }
+}
diff --git a/.charter/patterns/floating-action-pins.json b/.charter/patterns/floating-action-pins.json
new file mode 100644
index 0000000..e094416
--- /dev/null
+++ b/.charter/patterns/floating-action-pins.json
@@ -0,0 +1,10 @@
+{
+  "id": "floating-action-pins",
+  "name": "Floating Action Pins",
+  "category": "SECURITY",
+  "status": "ACTIVE",
+  "anti_patterns": "uses: (?!Stackbilt-dev/)(?!\\./)[^@]+@v[\\d]",
+  "blessed_solution": "Pin to full commit SHA with a # vX.Y.Z comment: uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4",
+  "rationale": "Tag-based action pins are mutable — a supply chain attacker can move the tag to a malicious commit. SHA pins are immutable.",
+  "created_at": "2026-05-20T00:00:00.000Z"
+}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2c80157..8ac5c24 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,8 +13,8 @@ jobs:
       matrix:
         node-version: [18, 20, 22]
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci --ignore-scripts
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0a54a28..c97dcbe 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -11,8 +11,8 @@ jobs:
       contents: read
       id-token: write  # Required for npm provenance
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: 22
           registry-url: https://registry.npmjs.org
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
new file mode 100644
index 0000000..28181bb
--- /dev/null
+++ b/.github/workflows/supply-chain.yml
@@ -0,0 +1,18 @@
+name: Supply Chain
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  sbom:
+    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-sbom.yml@c87defbe10de10c7d53653338d330bcd48d41746
+    with:
+      node-version: '22'
+      package-manager: 'npm'
+
+  dep-review:
+    if: github.event_name == 'pull_request'
+    uses: Stackbilt-dev/stackbilt_llc/.github/workflows/supply-chain-dep-review.yml@c87defbe10de10c7d53653338d330bcd48d41746