Security: CI/CD supply-chain & credential hardening

## CI/CD supply-chain & credential hardening — code-navigator

Part of the org-wide **shaharia-lab CI/CD supply-chain security** initiative (credentials first → pinning → provenance). Tracked centrally in the `.github` epic.

**Severity:** Medium 🟡

### Repo-specific actions
- [ ] Commit `Cargo.lock` and build with `--locked`
- [ ] SHA-pin all actions (esp. `softprops/action-gh-release` and `dtolnay/rust-toolchain@stable`)
- [ ] Add `permissions: contents: read` to ci.yml; scope `HOMEBREW_TAP_TOKEN`; push formula via PR not `gh api PUT` to main
- [ ] Add cosign/SLSA + harden-runner to the release workflow

### Baseline hardening
- [ ] **B1** SHA-pin all actions (full 40-char commit, third-party first) + Dependabot `github-actions` (no auto-merge)
- [ ] **B2** Top-level least-privilege `permissions: { contents: read }`
- [ ] **B3** Digest-pin Docker base images (`@sha256:`); deploy immutable `${{ github.sha }}`, never `:latest`

### Reference
Full per-repo plan & rationale: https://app.vibexp.io/artifacts/017f21c2-f378-435f-80e1-b0524459051b/shaharia-lab-cicd-security-remediation-plan


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: CI/CD supply-chain & credential hardening #11

CI/CD supply-chain & credential hardening — code-navigator

Repo-specific actions

Baseline hardening

Reference

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

Security: CI/CD supply-chain & credential hardening #11

Description

CI/CD supply-chain & credential hardening — code-navigator

Repo-specific actions

Baseline hardening

Reference

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions