Supply-chain controls
This content is for 2026. Switch to the latest version for up-to-date documentation.
Dependency updates, signed artifacts, provenance controls, and Rust-specific checks are part of the release posture for the project.
Rust releases should consider cargo audit, cargo deny, SBOM generation, and
artifact signing before the release claim expands.
GitHub Actions checks have passed before a release claim is treated as ready to merge or publish.
See the canonical source in Conductor supply-chain-controls.md.