dfetch-org · spoorcc · May 16, 2026 · May 16, 2026
diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml
@@ -39,7 +39,9 @@ jobs:
           persist-credentials: false
 
       - name: Attest source governance (SLSA Source Track)
-        uses: slsa-framework/slsa-source-corroborator@v0.1.0
+        uses: slsa-framework/source-actions/slsa_with_provenance@v0.1.0
+        with:
+          version: v0.6.3
 
   attest-source:
     name: Generate source provenance

diff --git a/doc/explanation/threat_model_supply_chain.rst b/doc/explanation/threat_model_supply_chain.rst
@@ -324,7 +324,7 @@ Controls
      - Low
      - Repudiation, Spoofing
      - DFT-31
-     - Mitigates: Source Provenance Attestations are published via ``slsa-framework/slsa-source-corroborator`` on every push to ``main``.  These attestations prove the specific source-level governance controls applied on each commit: branch protection, mandatory code review, and ancestry enforcement (C-038).  Predicate type ``https://slsa.dev/source_provenance/v1`` is signed by GitHub Actions via Sigstore and stored in the GitHub Attestation registry.  Consumers can verify using ``gh attestation verify`` with ``--predicate-type https://slsa.dev/source_provenance/v1`` and ``--cert-identity`` pinned to ``source-provenance.yml@refs/heads/main``.  ``.github/workflows/source-provenance.yml``
+     - Mitigates: Source Provenance Attestations are published via ``slsa-framework/source-actions/slsa_with_provenance`` on every push to ``main``.  These attestations prove the specific source-level governance controls applied on each commit: branch protection, mandatory code review, and ancestry enforcement (C-038).  Predicate type ``https://slsa.dev/source_provenance/v1`` is signed by GitHub Actions via Sigstore and stored in the GitHub Attestation registry.  Consumers can verify using ``gh attestation verify`` with ``--predicate-type https://slsa.dev/source_provenance/v1`` and ``--cert-identity`` pinned to ``source-provenance.yml@refs/heads/main``.  ``.github/workflows/source-provenance.yml``
    * - C-038
      - Ancestry enforcement on dfetch main branch
      - Low

diff --git a/doc/howto/verify-integrity.rst b/doc/howto/verify-integrity.rst
@@ -211,7 +211,7 @@ any binary was produced):
 Every commit merged to ``main`` has a Source Provenance Attestation proving that
 branch protection, mandatory code review, and ancestry enforcement were in place
 when the commit landed.  These attestations are published by
-``slsa-framework/slsa-source-corroborator`` and stored in the
+``slsa-framework/source-actions/slsa_with_provenance`` and stored in the
 `attestation registry <https://github.com/dfetch-org/dfetch/attestations>`_.
 Replace ``<sha>`` with the 40-character commit SHA you want to verify:
 

diff --git a/security/tm_supply_chain.py b/security/tm_supply_chain.py
@@ -670,7 +670,7 @@ def build_model() -> TM:
         ),
         description=(
             "Source Provenance Attestations are published via "
-            "``slsa-framework/slsa-source-corroborator`` on every push to ``main``.  "
+            "``slsa-framework/source-actions/slsa_with_provenance`` on every push to ``main``.  "
             "These attestations prove the specific source-level governance controls "
             "applied on each commit: branch protection, mandatory code review, and "
             "ancestry enforcement (C-038).  "