This session guides you through creating a secure package pipeline that any open-source maintainer can achieve. I will show how we eliminated secrets with OIDC authentication, introduced automated SBOM generation for each release, signed builds with cryptographic attestations and used matrix CI to test across platforms.
We use bots to keep our dependencies up to date, CodeQL to scan our repositories for vulnerabilities and automate releases with Release Please. To increase the security of GitHub Actions, we pin hashes and permissions. These measures reduce risks associated with compromised dependencies, supply chain attacks and manual errors, while also improving compliance and trust for everyone.
By the end, you will have a blueprint for securing your projects. The ecosystem will benefit from improved security practices, increased transparency and better compliance with standards. Contributors can fork, audit and extend projects, knowing the integrity of the build process is assured.