[ivannovazzi]

Interesting — a policy layer for GitHub Actions is a very different angle than just locking down secrets access.

One thing we noticed building KeyEnv (https://keyenv.dev, CLI-first secrets manager): the enforcement problem is often about what runs _locally_ before CI/CD, not just in the pipeline. Devs bypassing secrets rotation by hardcoding, or testing against prod secrets locally, is where leaks usually start.

Your enforcement gate at the Actions layer is a clean solution for the CI side. Do you have plans to extend to pre-commit hooks or dev environment enforcement?