pipeline & defense
Approval gates. Digest-pinned. Zero-downtime.
GitHub Actions → cosign → trivy → manual approval → kubectl rollout. Then verify, or roll back.
pipeline · 11 stages
Every commit, the same gauntlet.
GitHub Actions runs the full chain on every PR. The same workflow is what deploys to prod. Hover any stage to see its workflow file.
security posture · live
Six layers. One source of truth.
| Layer | Control | Source |
|---|---|---|
| Identity | Cognito + JWKS verify | docs/adr/016-auth-jwt.md |
| Tenancy | Postgres RLS · force | apps/order-api/migrations/003_rls.sql |
| Transport | HSTS · CSP · COOP/CORP | apps/storefront/next.config.ts |
| Secrets | Secrets Mgr + IRSA | apps/order-api/k8s/deployment.yaml |
| Supply chain | Cosign + Trivy + Gatekeeper | docs/adr/020-supply-chain.md |
| Observability | OTel · 3 signals · SLO | modules/observability/ |