cosign

Artifact signing gives downstream systems something concrete to verify before deployment. I use cosign because it keeps container and provenance signing practical in CI. Supply chain controls only matter if verification is automated where release deci