Security
Supply-chain and secret-handling posture: pin by hash not tag, scan for known CVEs on every push, ship SBOMs and signatures from the release pipeline, and refuse to accept secrets as flag values.
Decisions
byob-security.1— Pin Go dependencies by exact version; never `@latest` in CIbyob-security.2— Run govulncheck in CI on every pushbyob-security.3— Emit SBOMs and cosign signatures from the release workflowbyob-security.4— Secrets from env or OS keyring only; never as flag valuesbyob-security.5— Pin GitHub Actions by SHA; scope permissions to minimum