Signed monorepo releases using GitHub Workflows
Replacing 150 lines of GPG shell with GitHub-signed commits to satellite repos: zero private keys on the runner, via createCommitOnBranch and a custom Action.
Read →#supply-chain
2 articles
-
-
Why Your .env Secrets Shouldn't Be Plaintext on Disk
Why plaintext .env files are a prime target for supply-chain attacks, and how dotsecenv keeps developer secrets encrypted at rest with GPG.
Read →