As a maintainer, this is Cilium's take on how we secure our Github Actions in the OSS project. A few highlights:

• SHA pinning every GitHub Action
• Separating trusted vs untrusted code paths in pull_request_target
• Isolating CI credentials from production release credentials
• Cosign signing + SBOM attestations
• Vendoring Go dependencies to make supply chain changes visible in review
• Treating blast radius reduction as the core design principle

and a few gaps:

• no SLSA provenance yet
• remaining mutable u/main references
• no dependency review at PR time
• missing govulncheck integration