Cilium's security team details how they harden their CI/CD pipeline against supply chain attacks. Key controls include: SHA-pinned GitHub Actions and container images, a custom bot (Ariane) restricting who can trigger builds, two-phase checkouts for pull_request_target workflows to isolate untrusted code, Go module vendoring so dependency changes appear as reviewable diffs, CODEOWNERS gates on all .github/ changes, Renovate with a 5-day cooldown for automated dependency updates, static analysis via actionlint and CodeQL to catch expression injection and missing permissions, CI vs. production credential isolation using protected environments, and keyless Sigstore Cosign signing with SBOM attestations. The post also honestly documents remaining gaps: no SLSA provenance, no govulncheck in CI, 68 internal @main references, and no dependency-review-action. It closes with a look at GitHub's 2026 Actions security roadmap and how planned features like dependency locking, scoped secrets, and native egress firewalls map to current workarounds.
Table of contents
TL;DRControlling who runs whatLocking down dependenciesCatching mistakes with static analysisProtecting credentialsSigning and attesting what we shipThe Cilium security teamAdditional layersWhat we're still working onGitHub's 2026 Actions security roadmap and how it maps to what we doThe pointSort: