Never embed secrets in a job declaration, grab them from a secret store or from the job’s configuration Explicitly bump version in a release build or at least ensure the developer did so Build only once and perform all the inspections over the single build artifact (e.g. Docker image) Te...