generated from coulomb/repo-seed
1.2 KiB
1.2 KiB
Pattern: SLSA Build Provenance
Status: seed Readiness target: RL3 production Primary owners: artifact-store, product repos, Railiance platform Genesis family: Supply chain
Problem
Production artifacts are hard to trust if the platform cannot prove which source, builder, dependencies, and process produced them.
Context
Use this pattern for release pipelines, container builds, package publishing, artifact-store metadata, and deployment admission.
Forces
- Provenance must be generated by a trustworthy build process.
- Developers need usable build workflows.
- Provenance must be verifiable after release.
- Admission and incident response need artifact lineage.
Solution
Emit SLSA-style provenance for production artifacts, linking artifact digest to source repository, commit, builder identity, workflow, inputs, and build parameters.
Verification
- Production artifacts carry verifiable provenance.
- Provenance links to protected source and trusted builder identity.
- Admission or release promotion checks provenance policy.
- Incident triage can trace an artifact back to source and build.
Related Patterns
- Supply-Chain Provenance.
- Protected Main Branch.
- Quarantined Build Runner.
- Signed Container Images.