Use this checklist before cutting any new release (e.g., v0.x.x) to ensure supply-chain integrity.
install.sh VERSION variable to match the release tag.README.md and .github/PULL_REQUEST_TEMPLATE.md installer URLs point to the new tag (not main).install.sh does not curl random scripts from third parties without pinning.dot_ssh/ to ensure no private keys (id_rsa, id_ed25519) are committed.dot_config/ (use age encryption or environment variables instead).git secrets or similar to scan for accidental commits of credentials.install.sh detects WSL and does not try to install systemd services or macOS defaults.sudo unnecessarily (Principle of Least Privilege).dot_local/bin/ scripts are pure shell/executable and match expected checksums (no binary blobs).npm audit / cargo audit if applicable (currently Node.js legacy is removed).dot mcp shows only allowlisted launchers (npx, node, uvx)./, /home, /Users).strict-local server set is enabled by default.GITHUB_TOKEN, BRAVE_API_KEY).*) or --unsafe arguments in MCP server configs.${VAR} references in MCP config have corresponding environment variables.Run dot mcp --strict --json to validate all MCP server configurations and capture an audit artifact.
dotfiles-sbom.spdx.json is generated in release workflow.actions/attest-build-provenance signs the release artifacts.gh attestation verify <artifact> --repo sebastienrousseau/dotfiles.security-attestation is a required status check on master.ACTIONS_BOT_SIGNING_KEY exists and matches the signer in dot_config/git/allowed_signers.docker build -f Dockerfile.test . to verify clean install.dot doctor locally.dot mcp to verify MCP configuration.