FPM can package arbitrary files/scripts; enforce artifact and script controls.
- Build packages in isolated CI workers.
- Review maintainer scripts (
preinst, postinst, etc.) before release.
- Avoid packaging secrets or environment-specific credentials.
- Sign generated packages/repositories.
- Keep immutable build logs and build metadata.
- Verify checksum and signature in deployment pipeline.