Audit the Release Pipeline Like a Smart Contract

Your contracts are audited. Your release pipeline isn't. Mini Shai-Hulud proved npm provenance signs whatever a compromised workflow ships. Here's the checklist Web3 teams should run on their own pipeline.