generated from coulomb/repo-seed
44 lines
1.2 KiB
Markdown
44 lines
1.2 KiB
Markdown
# Pattern: SLSA Build Provenance
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: artifact-store, product repos, Railiance platform
|
|
Genesis family: Supply chain
|
|
|
|
## Problem
|
|
|
|
Production artifacts are hard to trust if the platform cannot prove
|
|
which source, builder, dependencies, and process produced them.
|
|
|
|
## Context
|
|
|
|
Use this pattern for release pipelines, container builds, package
|
|
publishing, artifact-store metadata, and deployment admission.
|
|
|
|
## Forces
|
|
|
|
- Provenance must be generated by a trustworthy build process.
|
|
- Developers need usable build workflows.
|
|
- Provenance must be verifiable after release.
|
|
- Admission and incident response need artifact lineage.
|
|
|
|
## Solution
|
|
|
|
Emit SLSA-style provenance for production artifacts, linking artifact
|
|
digest to source repository, commit, builder identity, workflow, inputs,
|
|
and build parameters.
|
|
|
|
## Verification
|
|
|
|
- Production artifacts carry verifiable provenance.
|
|
- Provenance links to protected source and trusted builder identity.
|
|
- Admission or release promotion checks provenance policy.
|
|
- Incident triage can trace an artifact back to source and build.
|
|
|
|
## Related Patterns
|
|
|
|
- Supply-Chain Provenance.
|
|
- Protected Main Branch.
|
|
- Quarantined Build Runner.
|
|
- Signed Container Images.
|