Agent skill
hardened-release-workflow
Production-ready release workflow examples with signed releases, SLSA provenance, artifact attestations, and minimal permissions.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/secure/skills/hardened-release-workflow
SKILL.md
Hardened Release Workflow
When to Use This Skill
Copy-paste ready release workflow templates with comprehensive security hardening. Each example demonstrates signed releases, SLSA provenance generation, artifact attestations, minimal permissions, and secure artifact distribution.
Complete Security Patterns
These workflows integrate all security patterns from the hub: SHA-pinned actions, minimal GITHUB_TOKEN permissions, SLSA provenance, artifact attestations, signature verification, and secure distribution. Use as production templates for secure software supply chain.
Implementation
See the full implementation guide in the source documentation.
Key Principles
Every release workflow in this guide implements these controls:
- Action Pinning: All third-party actions pinned to full SHA-256 commit hashes
- Minimal Permissions: Only required permissions granted per job
- SLSA Provenance: Build provenance attestations for supply chain transparency
- Artifact Attestations: Cryptographic signatures for release artifacts
- Signature Verification: Verifiable release authenticity
- Immutable Releases: Tag protection and commit verification
- Approval Gates: Environment protection for production releases
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?