Investigate CI trust gaps and bootstrap attestation-aware hardening
We want to check this repository for Trivy-style CI tampering risk.
Please:
- inspect CI and release-related files
- look for mutable refs, risky external downloads, suspicious scanner sourcing, and missing provenance coverage
- if safe, create the smallest reviewable hardening MR
- if not safe, leave a note with exact manual follow-up
issue