Securing CI/CD for an open source project: lessons from Cilium

As a maintainer, this is Cilium’s take on how we secure our Github Actions in the OSS project. A few highlights: SHA pinning every GitHub Action Separating trusted vs untrusted code paths in pull_request_target Isolating CI credentials from production release credentials Cosign signing + SBOM attestations Vendoring Go dependencies to make supply chain changes visible in review Treating blast radius reduction as the core design principle and a few gaps: no SLSA provenance yet remaining mutable u/main references no dependency review at PR time missing govulncheck integration submitted by /u/xmull1gan [link] [comments]Technical Information Security Content & DiscussionRead More