Your CI/CD Pipeline Is a Security Risk - Here's How I Fixed Mine

Most CI/CD pipelines are one compromised dependency away from a production takeover. I learned that the hard way after the Codecov breach. I spent a couple of weeks hacking on a PoC to see what actually holds up when the goal is simple: stop someone from nuking your prod environment. Here's what I ended up with and where it hurt. Branch protection is table stakes, but it's very easy to get wrong. I forced signed commits and mandatory approvals, even for admins. Yeah, it slows things down during fast iterations. But without it, a compromised runner can just rewrite your main history and push whatever it wants. Let me paint the scenario that kept me up at night: A compromised GitHub Action runs in your pipeline. It reads your AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY . Sends them to an external server. A few seconds later, someone else is deploying to your production account. Game over. Static secrets had to die - so I killed them I replaced every AWS_ACCESS_KEY_ID with OIDC (OpenID Co