ADR-0032 — GitHub Actions CI + OIDC keyless + supply-chain security

V1 Freeze (2026-06-12): Deferred. V1 CI = build/test/lint. SBOM/trivy/cosign/SLSA re-open at P4.

Context

CI must build, test, and publish artifacts safely. Two recurring risks: long-lived credentials in CI (cloud keys, signing keys, registry creds — prime theft targets) and unverifiable artifacts (no provenance, unsigned images, unknown dependencies) — now a regulatory concern (EO 14028, EU CRA). CI must also not hold cluster credentials (ADR-0028).

Decision

GitHub Actions for CI, with a hard CI/CD boundary and supply-chain security built in:

Consequences

Positive

Negative / costs

Alternatives considered

Scaling

Self-hosted/larger runners (incl. arm64) + aggressive caching + path-filtered matrices scale build throughput; small signed images reduce registry/egress cost (platform/01).