Harden CI/CD Pipeline Security

[Snider]

This submission hardens the CI/CD pipeline by addressing several security vulnerabilities. It replaces the manual release process with goreleaser, pins all GitHub Actions to specific commit hashes, enables cryptographic signing of release artifacts, adds a Dependabot configuration, and removes excessive contents: write permissions from workflows. It also includes an AUDIT-CICD.md file to document the audit findings and remediation steps.

Fixes #98

---

PR created automatically by Jules for task 616906462333893748 started by @Snider

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced release process with automated artefact signing for improved security
  • Pinned external tools to specific versions for consistent build behaviour
  • Configured automated dependency management for Go modules
  • Added CI/CD security audit documentation

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

This pull request implements CI/CD pipeline security improvements by pinning GitHub Actions workflows to specific commit SHAs, introducing Sigstore-based cryptographic signing for release artifacts via GoReleaser, enabling Dependabot for automated dependency updates, and consolidating release processes. A comprehensive security audit document details all findings and remediations.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Pinning .github/workflows/go.yml, .github/workflows/mkdocs.yml, .github/workflows/release.yml	Replaced generic action version references with pinned commit SHAs across workflows; removed overly broad permissions from mkdocs deployment; removed forced deployment step.
Release Process Automation .github/workflows/release.yml	Replaced manual multi-step Go build and release process with streamlined GoReleaser integration, reducing 85 lines to 13; removed explicit version extraction and checksum creation steps.
Release Artifact Configuration .goreleaser.yaml	Added Sigstore keyless signing via Fulcio/OIDC with signature and certificate output paths; introduced pre-release build hooks for WebAssembly, console, and binary artifacts; configured extra release files for WASM, runtime library, and console assets.
Dependency Management .github/dependabot.yml	Added new configuration file to enable automated Go module version update checks on a weekly schedule.
Security Audit Documentation AUDIT-CICD.md	Created comprehensive audit document detailing CI/CD security findings across action pinning, permissions management, artifact signing, dependency scanning, and build system integrity, with corresponding remediations.

Sequence Diagram(s)

sequenceDiagram
    participant GHA as GitHub Actions
    participant GR as GoReleaser
    participant FS as Filesystem
    participant Sigstore as Sigstore (Fulcio)
    participant GHRel as GitHub Releases

    GHA->>GR: Trigger release (--clean flag)
    GR->>FS: Execute pre-release hooks
    FS->>FS: Build WASM binary<br/>(GOOS=js GOARCH=wasm)
    FS->>FS: Copy wasm_exec.js runtime
    FS->>FS: Build borg binary
    FS->>FS: Generate console.stim artifact
    GR->>GR: Build release artifacts
    GR->>Sigstore: Request keyless signature<br/>(OIDC via Actions)
    Sigstore->>Sigstore: Verify OIDC token<br/>(Fulcio)
    Sigstore-->>GR: Return signature & certificate
    GR->>GR: Attach extra files<br/>(WASM, runtime, console)
    GR->>GHRel: Create release with<br/>signed artifacts
    GHRel-->>GHA: Release complete

Loading

Possibly Related PRs

• fix(ci): Update GitHub Actions versions and add permissions #8: Modifies .github/workflows/mkdocs.yml action versioning and deployment permissions configuration, directly intersecting with this PR's workflow security hardening changes.

Poem

🐰 A release most secure, signed and quite clear,
With Sigstore's seal bringing trusted cheer,
Actions pinned tight, no floating about,
Dependabot watches without a doubt,
GoReleaser builds what we've dreamed of before,
CI/CD security forevermore! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarises the primary objective of the changeset: hardening the CI/CD pipeline security through multiple security improvements.
Description check	✅ Passed	The description is directly related to the changeset, detailing all major security improvements implemented including goreleaser adoption, action pinning, artifact signing, Dependabot configuration, and permission reduction.
Linked Issues check	✅ Passed	The pull request fully addresses the audit requirements from issue #98 by implementing security hardening across all focus areas (Actions workflow security, artifact signing, dependency management) and creating AUDIT-CICD.md documenting findings and remediations.
Out of Scope Changes check	✅ Passed	All changes are directly within scope of the CI/CD security audit objectives. The placeholder file addition addresses a build failure directly related to the release workflow changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch audit/cicd-security-hardening-616906462333893748

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}