CI/CD Pipeline Security Expert

This is an instructional CI/CD security skill/document. It is not malicious. The content aligns with its stated purpose: securing GitHub Actions workflows, secret management, signing, SBOMs, and supply-chain protections. The main risks are operational: several example snippets show high-risk patterns (executing remote scripts via curl|bash, referencing actions by branch/tag like '@main' or '@master', and demonstrating dangerous pull_request_target usage). Those are shown as anti-patterns in the text, but their presence creates a chance that an implementer might copy insecure examples. No hardcoded secrets or obfuscated code were found. Recommendation: follow the document's own advice — pin actions by SHA, avoid running unverified remote scripts, and ensure tests/checks prevent copying dangerous examples into production workflows.