Supply-chain Hardening

What I shipped:

• SBOMs generated in CI and attached to artifacts
• Image signing with Cosign; verify on deploy
• Vulnerability scanning with Grype; fail on criticals

Outcomes:

• Faster audits, fewer surprises, higher release confidence

$ cosign verify ghcr.io/katrelle/portfolio:latest
Verified OK, subject=katrelle, sha={{ site.Data.cluster.last_deploy_sha }}