Securing CI/CD for an open source project: lessons from Cilium

The Cilium project outlines key security practices for GitHub Actions in open source development, including SHA pinning for actions, separating trusted and untrusted code paths in pull_request_target, isolating CI credentials from production release credentials, and using Cosign signing with SBOM attestations. It also highlights vendoring Go dependencies to improve supply chain visibility during reviews and prioritizing blast radius reduction as a design principle. The post notes existing gaps such as the lack of SLSA provenance, mutable references, missing dependency reviews at PR time, and no integration of govulncheck.