Supply-chain hardening shortlist. Would any of these PRs be welcome?

[gregclermont]

Hi 👋, prospective user here doing a pre-adoption security review of agent-vault. I spent a few hours auditing the CI/CD setup, release pipeline, and install path, especially in light of recent supply-chain incidents.

Before I send anything as PRs, I wanted to check which (if any) you'd welcome. Each proposal below is self-contained and each would be a separate small PR.

Small PRs I'd happily send

1. Dependabot cooldown — catches freshly-published malicious versions before they land in auto-PRs.
2. npm install → npm ci in release-node-sdk.yml — installs strictly from the lockfile, closing the window between what CI tested and what ships to npm (vector the Axios compromise exploited).
3. npm ci --ignore-scripts + npm rebuild esbuild across all npm install steps — blocks arbitrary postinstall execution in transitive deps, while still letting esbuild fetch its platform binary.
4. Downgrade contents: write → contents: read on the node-sdk publish workflow — checkout needs contents: read; OIDC publish needs id-token: write; nothing in the job writes to the repo.
5. persist-credentials: false on actions/checkout — found by zizmor (artipacked). No git command happens in any workflow, so the GITHUB_TOKEN doesn't need to be left in .git/config.
6. --proto '=https' on install.sh curl calls — defense-in-depth against HTTP redirect downgrade.
7. Pin Dockerfile base images by digest and enable Dependabot's docker ecosystem — floating tags (alpine:3.21, node:22-alpine, golang:1.25-alpine) are mutable upstream; a retag or compromise lands silently in the next build. Digest pinning (@sha256:...) makes base-image changes opt-in; the Dependabot docker ecosystem keeps the pins fresh so they don't rot.
8. actions/attest-build-provenance after GoReleaser — enables gh attestation verify agent-vault_*.tar.gz --repo Infisical/agent-vault for users with zero extra tool install.
9. docker_signs block in .goreleaser.yml — cosign is already installed in the release workflow; it's currently only used to sign checksums.txt.

Bigger but still small-ish

10. Checksum + cosign verification in install.sh — the current installer downloads and executes the binary without integrity verification, despite .goreleaser.yml already publishing a signed checksums.txt. Largest single impact of any change here; happy to send as its own PR after (8) lands so it can prefer gh attestation verify when available.

Things that need maintainer action (flagging, not PR'ing)

These are settings / external-infra changes only you can make. Listing so they're on your radar; happy to defer on any of them:

• Immutable Releases (repo settings → Releases) — single checkbox that prevents the Trivy-class (Mar 2026) and tj-actions-class (Mar 2025) asset-swap attacks by making release tags and assets platform-level immutable after publication. Complements cosign by making the platform itself enforce tamper-evidence.
• Tag protection ruleset on v* / node-sdk/v*.*.* pushes with creation / deletion / non_fast_forward rules.
• DNSSEC on agent-vault.dev — zone is currently unsigned (signed NSEC3 denial from the dev. TLD confirmed). One click in Cloudflare + DS record at the registrar. Important given the install-path trust reliance on the domain.

A few questions before I start

• Bundling preference — happy with 10 separate small PRs, or would you rather a couple of "security hardening batch" PRs grouped by concern (e.g. one for Dependabot-related, one for permissions)?
• Order preference — I'd suggest starting with 1-6 (truly tiny wins, easy review), then 7-9 (still small, need one look), then 10 (slightly bigger). Open to any order you prefer.
• Overlap — if any of this is already planned or WIP on your end, just say so and I'll drop it.

Thanks for the project!

[dangtony98]

Hey @gregclermont!

Thanks so much for suggesting these and welcome to Agent Vault (AV); we're in the early days of AV and there may be some gaps with active development, so I'm really happy you brought these up. Regarding the specific points:

• I'm happy to take care of 1, 2, 4, 5, 6, and 7; I think these should be simple-enough for me to knock out quickly. That said, it'd be great if you could raise separate PRs for 8, 9, and 10.
• We can defer 3 for now until the others land.
• I'll take care of the maintainer actions part as well.

Let me know if you have any questions; really appreciate this!

On another note, feel free to join the Slack community here if you want more real-time feedback as we get these going; happy to keep it within GitHub too.

[mvanhorn]

Submitted item 8 (actions/attest-build-provenance after GoReleaser) in #138. Will follow with separate PRs for items 9 and 10 per your guidance.

[mvanhorn]

Submitted item 9 (docker_signs block in .goreleaser.yml) in #139. Independent of #138 - either order works. Item 10 to follow after #138 lands.