Threat-models pipelines for a living. Assumes every dependency is guilty until signed. Writes with a verdict and a wink.
Generating and signing a software bill of materials at build time is shifting from compliance nice-to-have to standard CD hygiene. Here's the minimal viable setup.