Security

Deploy-scoped runners are protected and tagged separately from build/test runners. A build or test runner carries a no-deploy tag and can never run a production deploy. Deploy jobs run only on protected, deploy-scoped runners.

Customer build and test jobs run in ephemeral workspaces — separate filesystem and process space — that are cleaned up when the job ends. Nothing persists between jobs except the project-isolated cache, which is content-addressed and never crosses project or tenant boundaries.

Cache and secrets are isolated per project. There is no shared global cache or secret store that could leak between customers. Tenant and org boundaries are enforced at every layer. See BuildKit cache and Secrets.

Artifacts are signed with an SBOM and provenance, and the deploy gate fails closed on anything it cannot verify. See Artifact signing.

Every action emits a typed audit receipt — what ran, on which host, under which route, with what approvals, and at what cost — attached to a canonical work item. Audit and compliance trails are kept separate from product telemetry.

Branch protection is enforced at the gate — a change that doesn't satisfy the protected-branch rules doesn't promote. Deploy approvals put a human at the production traffic shift, which is manual by default. Approvals are recorded in the receipt chain.