/claim #2062

Skill Improvement ($50-150 Bounty)

Related review issue: #2062

Summary

This improves pipeline-security by adding workflow_run artifact handoff gates so privileged consumers cannot execute, sign, publish, or deploy artifacts produced by lower-trust PR/fork workflows without trusted source checks, provenance, digest binding, and cache isolation.

Changes

• Add PIPE-HANDOFF-01 through PIPE-HANDOFF-08 evidence gates.
• Require producer/consumer workflow chain mapping, including producer trigger, head repository, branch/ref, head SHA, actor, artifact/cache identity, consumer trigger, and consumer permissions.
• Require trusted source checks, artifact digest/signature/provenance or trusted rebuild, PR-controlled generated-file treatment, cache key isolation, least-privilege consumer permissions, and fail-closed behavior.
• Extend output with a Privileged Workflow Handoff Evidence table and gate results.
• Add skill-local benign and vulnerable JSON fixtures.

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Validation

• git diff --cached --check
• git diff --check origin/main...HEAD
• JSON parse check for both fixtures
• Markdown fence balance check
• marker checks for PIPE-HANDOFF-01 through PIPE-HANDOFF-08
• added-line realistic-secret-pattern scan
• git merge-tree --write-tree origin/main HEAD matches HEAD^{tree}
• fork branch created through GitHub Git Data API; remote tree verified against local HEAD^{tree}

Payment preference

GitHub Sponsors, if accepted.