# Delivery security policy

- Explicit least-privilege `permissions` in every workflow.
- Protected production environment and required reviewers.
- OpenID Connect for cloud credentials instead of long-lived keys.
- CodeQL and filesystem/container vulnerability scanning.
- Immutable image tags, SBOM and provenance blueprint.
- GitOps-only cluster changes; Argo CD detects and repairs drift.
- Non-root, read-only containers with dropped capabilities.
- NetworkPolicy, resource limits and disruption budgets.
