promotion-pipeline

This skill is a documentation/operational guide for an OCI artifact promotion pipeline. There is no embedded malicious code or supply-chain download-and-execute pattern. The main security concerns are operational: it requires high-privilege GitHub tokens (repo and packages scopes) and access to kubeconfig files; improper handling of those credentials (leakage, overly-broad scopes, or exposing them to an automated agent) would enable repository manipulation and cluster control. Follow best practices: minimize token scopes, store secrets in secure vaults, avoid echoing tokens in shell history, and limit automated access to kubeconfigs.