Build your own SLSA 3+ provenance builder on GitHub Actions
Supply chain attacks have increased YoY by more than 700%. High profile attacks like those against SolarWinds or Codecov have exposed the kind of supply chain integrity weaknesses. Supply-chain Levels for Software Artifacts (SLSA) is a set of incrementally adoptable guidelines to prevent tampering, improve integrity, and secure packages and infrastructure. SLSA v1.0 specifications were released in April 2023, and several commercial products are already available.
Writing a SLSA builder from scratch is, however, a tedious multi-month effort. In this talk, we will present the "Build Your Own Builder" (BYOB) framework for GitHub Actions: a set of APIs that empowers anyone to create a SLSA 3 compliant builder on GitHub in a matter of days. In particular, the BYOB framework makes it easy for GitHub Action maintainers to meet the highest SLSA Build L3 requirements. As a builder author, you don't need to worry about keeping signing keys secure, isolation between builds, the creation of attestations; all this is handled seamlessly by the framework.