Supply chain controls protect the path from source code to deployed program. This pillar covers dependency management, branch protection, code review enforcement, reproducible releases, and CI/CD pipeline security.
All dependencies pinned to exact versions with lockfiles committed to source control. Dependency updates are deliberate and reviewed. Crate and package provenance is verified. Transitive dependencies are understood and tracked. Registry publish access (crates.io, npm) is protected with hardware keys and restricted to minimum maintainers.
Main and release branches enforce protection rules: no direct pushes, required status checks, no single-administrator override. Repository access follows least-privilege. Org-level settings (SSO, 2FA, outside collaborator policy) are hardened.
All production code changes require review from at least one independent reviewer. Review cannot be bypassed or self-approved for any path that leads to deployment.
Release artifacts are cryptographically signed. Builds are reproducible and verifiable against on-chain program hashes (solana-verify or equivalent). Verification status is monitored and re-verified after every upgrade. The release process is documented end-to-end: who triggers, what signs, and where artifacts are published.
Pipeline configuration is version-controlled and review-gated. Secrets are scoped to specific pipelines. Builds run on hardened, ephemeral infrastructure. Third-party actions and plugins are pinned to specific versions. Pipeline logs are retained for audit.