Compromises often enter through the places you do not watch: build steps, scripts, and dependencies.
The first milestone is containment. The second is understanding how trust moved through your systems.
Make provenance visible. Pin what you can. And log what you cannot.
Treat CI as production: isolated, minimal, and continuously monitored.