This commit hardens the CI/CD pipeline and fixes the release process.
- Replaces the manual release process with `goreleaser` to streamline builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and remediation steps.
- Fixes a build failure by adding a placeholder for a missing demo file.
- Updates the `.goreleaser.yaml` to include WASM and console assets in the release, fixing a regression from the previous release process.
This commit hardens the CI/CD pipeline by addressing several security
vulnerabilities.
- Replaces the manual release process with `goreleaser` to streamline
builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply
chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and
Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and
remediation steps.
Co-authored-by: Snider <631881+Snider@users.noreply.github.com>
