The workflows had been running for months. Cosign signing. SBOM generation. Release automation.
Everything worked.
Then OpenSSF Scorecard ran: 16 Token-Permissions alerts.
The code scanning tab filled with warnings. All from one workflow file.
The releases were signed. Checksums published. SBOM generated. Every asset had a Cosign signature.
OpenSSF Scorecard: Signed-Releases 8/10.
Not 9. Not 10. Eight. Stuck.
Six pull requests. Two hours. OpenSSF Best Practices badge earned.
The readability project passed certification on December 13, 2025. But the work didn't start that day. It started months earlier when we built the infrastructure the badge measures.
I just published readability, a GitHub Action that checks docs. But this post isn't about metrics. It's about the release system that makes shipping easy.