ci: gate observability on release safety evidence

Add release-safety evidence coverage to observability readiness and refresh rc.1 publication gate docs.
2026-05-15 13:23:13 +08:00 · 2026-05-13 04:14:47 -04:00
parent d4728a0d80
commit 42f04edc03
6 changed files with 129 additions and 6 deletions
--- a/docs/security/supply-chain-incident-response.md
+++ b/docs/security/supply-chain-incident-response.md
@@ -8,7 +8,9 @@ they do not prove that the workflow executed the intended code path.
 ## Current External Trigger

 As of 2026-05-13, the active incident class is the May 2026 TanStack npm
-supply-chain compromise:
+supply-chain compromise. ECC also keeps Mini Shai-Hulud-style npm worm IOCs in
+the same release-safety sweep because both incident classes target package
+install/publish paths and developer credentials:

 - TanStack reported 84 malicious versions across 42 `@tanstack/*` packages,
  published on 2026-05-11 between 19:20 and 19:26 UTC.