Signed monorepo releases using GitHub Workflows
How a monorepo release workflow publishes signed commits to homebrew-tap, apt/yum packages, and plugin satellite repos, with no private signing key on the CI runner.
Blog
Designing Security Policies for dotsecenv
How dotsecenv v0.6.0’s policy directory came together: a long weekend, a SUID dead end, and Claude Code as inspiration.
Why your .env secrets shouldn't be plaintext on disk
The Trivy supply chain attack swept 50+ filesystem locations for plaintext credentials. It’s time to encrypt .env secrets at rest.