docs(security): sync SECURITY.md Supply Chain Trust with runbook v1.2 template (#20)

heyvaldemar · Vladimir Mikhalev · web-flow · commit dc1798250009 · 2026-04-23T21:28:58.000-04:00
One-line drift identified during the v1.2 post-release audit of the keycloak reference-implementation against the runbook templates. The Supply Chain Trust section of SECURITY.md still said "Upstream image tags are pinned to specific versions and will migrate to immutable @sha256:... digests in an upcoming PR" — but that migration actually shipped in PR #14 (merged 2026-04-23). The "upcoming" language has been stale for ~6 weeks. Replaces that sentence with the current-state description from the runbook's templates/SECURITY.md.tmpl: - Digests pinned in .env.example with the full tag@sha256: form - Dependabot docker-ecosystem weekly bumps - CI Deployment Verification weekly drift detection (Monday 06:00 UTC) - Adds the GitHub-Actions-pinned-by-commit-SHA statement No functional change — just sync documentation with what's actually been deployed since PR #14. Also documents the sync in CHANGELOG.md under [Unreleased] → Changed with a link to runbook v1.2.0. Close drift item against: - self-host-repo-hardening-runbook v1.2.0 templates/SECURITY.md.tmpl Co-authored-by: Vladimir Mikhalev <ask@sre.gg>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -58,6 +58,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   (`0 6 * * 1`) for upstream image drift detection, and `workflow_dispatch`
   trigger for manual runs. Workflow file renamed `00-deployment-verification.yml`
   → `deployment-verification.yml`.
+- `SECURITY.md` Supply Chain Trust section synced with
+  [self-host-repo-hardening-runbook v1.2](https://github.com/heyvaldemar/self-host-repo-hardening-runbook/releases/tag/v1.2.0)
+  template. Replaces the stale "will migrate to immutable `@sha256:...` digests
+  in an upcoming PR" language (that migration shipped in PR #14) with the
+  current-state description: digests pinned in `.env.example`, Dependabot
+  weekly bumps, CI weekly drift detection. Adds the GitHub-Actions-pinned-by-
+  commit-SHA statement that the template now includes.
 
 ### Removed
 - `.github/FUNDING.yml` — sponsor discovery moves to heyvaldemar.com. Aligns with the same decision applied across other heyvaldemar public repositories.
diff --git a/SECURITY.md b/SECURITY.md
@@ -25,7 +25,9 @@ This repository publishes a **deployment template**, not a custom Docker image.
 - [`quay.io/keycloak/keycloak`](https://quay.io/repository/keycloak/keycloak) — Keycloak upstream
 - [`postgres`](https://hub.docker.com/_/postgres) — PostgreSQL, official image
 
-Upstream image tags are pinned to specific versions and will migrate to immutable `@sha256:...` digests in an upcoming PR. Dependabot's `docker` ecosystem tracks digest bumps weekly.
+Upstream image tags are pinned to `tag@sha256:<digest>` in `.env.example`. Dependabot's `docker` ecosystem tracks digest bumps weekly. CI's Deployment Verification workflow stands up the full compose stack on every push and every Monday at 06:00 UTC, catching upstream drift before it reaches users.
+
+GitHub Actions are pinned by commit SHA with `# vX.Y.Z` version comments.
 
 ## Known historical issue
 
