[mnahkies]

You're talking about creating reproducible builds - which is a good idea, but in most cases you will still need to deliver that binary somewhere.

That typically requires authentication, whether you're deploying to kubernetes or copying the files somewhere using scp, etc

So either your laptop or the ci system needs some level of secrets present to put the artifact in the correct place

[lrvick]

Engineers simply commit artifacts with Git LFS as a signed commit. Totally unprivileged build systems can append reproducible build signatures via git tags. That repo can be webhook triggered to be -pulled- by a lambda job or similar in the target environment that will the verify tags and signatures to assert if it is valid, and deploy artifacts to signature approved environments using ephemeral role credentials.

A VCS system or CI system should never have secrets or be trusted in any way. Doing this is always dramatically increases attack surface for no reason.

I run a security consulting firm and this is often one of the first things I help my clients to fix.