Severity: LOW
Problem
There is no .github/CODEOWNERS file. Any repository collaborator could modify the release workflow file (.github/workflows/release-macos.yml) without requiring review from a specific owner. This is a supply chain security gap — the workflow has access to Apple signing secrets.
Proposed Solution
Create .github/CODEOWNERS:
# Workflow files require owner review
/.github/workflows/ @Laurc2004
This ensures any PR modifying CI/CD workflows requires approval from the designated code owner.
References
Severity: LOW
Problem
There is no
.github/CODEOWNERSfile. Any repository collaborator could modify the release workflow file (.github/workflows/release-macos.yml) without requiring review from a specific owner. This is a supply chain security gap — the workflow has access to Apple signing secrets.Proposed Solution
Create
.github/CODEOWNERS:This ensures any PR modifying CI/CD workflows requires approval from the designated code owner.
References
PLAN.mditem Add CODEOWNERS file for workflow protection #23