From CI pipelines with pinned package versions and OIDC instead of permanent secrets limited, least privileges.