Borg/.github/workflows/mkdocs.yml at 5e55a50b145b24dcd267dfb35a6bb30f7a44ffcc - Snider/Borg - Forgejo: Beyond coding. We Forge.

Snider/Borg

google-labs-jules[bot] b86e0c3e8e feat: Harden CI/CD pipeline security

This commit hardens the CI/CD pipeline by addressing several security
vulnerabilities.

- Replaces the manual release process with `goreleaser` to streamline
  builds and enable artifact signing.
- Pins all GitHub Actions to specific commit hashes to prevent supply
  chain attacks.
- Enables cryptographic signing of release artifacts using `cosign` and
  Sigstore's keyless signing.
- Adds a Dependabot configuration to automate dependency updates.
- Removes excessive `contents: write` permissions from workflows.
- Creates an `AUDIT-CICD.md` file to document the audit findings and
  remediation steps.

Co-authored-by: Snider <631881+Snider@users.noreply.github.com>

2026-02-02 01:24:12 +00:00

14 lines

360 B

YAML

Raw Blame History

 name: mkdocs
 on:
   push:
     branches:
       - main
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2d2b2110 # v4.8.0
         with:
           python-version: '3.11'
       - run: pip install mkdocs-material