docs: strengthen public security signals

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main, dev]
+  schedule:
+    - cron: '17 3 * * 1'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            build-mode: manual
+          - language: actions
+            build-mode: none
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
+
+      - name: Set up Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v5
+        with:
+          go-version: "1.24.6"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          queries: security-extended
+
+      - name: Build for CodeQL
+        if: matrix.build-mode == 'manual'
+        run: make build
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/release.yml

@@ -6,7 +6,7 @@ on:
       - 'V*'
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   build:
@@ -58,6 +58,10 @@ jobs:
     name: Publish Release
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      attestations: write
+      id-token: write
     steps:
       - name: Download all artifacts
         uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
@@ -69,16 +73,32 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R bin/
 
+      - name: Generate release checksums
+        run: |
+          cd bin
+          mapfile -t release_files < <(find . -maxdepth 1 -type f -printf '%P\n' | sort)
+          if [[ ${#release_files[@]} -eq 0 ]]; then
+            echo "No release assets found"
+            exit 1
+          fi
+          sha256sum "${release_files[@]}" > SHA256SUMS
+          cat SHA256SUMS
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            bin/analyze-darwin-*
+            bin/status-darwin-*
+            bin/binaries-darwin-*.tar.gz
+            bin/SHA256SUMS
+
       - name: Create Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           name: ${{ github.ref_name }}
           files: bin/*
-          body: |
-            Release assets are ready.
-
-            Final curated release notes should be applied with `gh release edit` after workflow verification.
           generate_release_notes: false
           draft: false
           prerelease: false

.github/workflows/test.yml

@@ -52,6 +52,9 @@ jobs:
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4
 
+      - name: Install tools
+        run: brew install bats-core
+
       - name: Check for unsafe rm usage
         run: |
           echo "Checking for unsafe rm patterns..."
@@ -86,3 +89,10 @@ jobs:
             exit 1
           fi
           echo "✓ No secrets found"
+
+      - name: Run high-risk path regression tests
+        env:
+          BATS_FORMATTER: tap
+          LANG: en_US.UTF-8
+          LC_ALL: en_US.UTF-8
+        run: bats tests/core_safe_functions.bats tests/purge.bats tests/installer.bats