Add SLSA Build Level 3 Provenance using GitHub

.github/workflows/deploy.yml

@@ -151,6 +151,9 @@ jobs:
       packages: write
       id-token: write
     runs-on: ubuntu-latest
+    outputs:
+      digest: ${{ steps.digest.outputs.digest }}
+      version: ${{ steps.meta.outputs.version }}
     steps:
       - uses: actions/checkout@v4
 
@@ -167,6 +170,13 @@ jobs:
         with:
           images: ghcr.io/${{ github.repository_owner }}/one-enterprise
 
+      - id: digest
+        run: >
+          digest=$(docker buildx imagetools inspect
+          "ghcr.io/${{ github.repository_owner }}/one-enterprise:${{ steps.meta.outputs.version }}"
+          --format '{{json .Manifest}}' | jq --raw-output '.digest');
+          echo "digest=${digest}" >> "$GITHUB_OUTPUT"
+
       - run: >
           node ./enterprise/scripts/sbom.js
           "ghcr.io/${{ github.repository_owner }}/one-enterprise:${{ steps.meta.outputs.version }}"
@@ -185,6 +195,22 @@ jobs:
           "https://github.com/${{ github.repository }}/.github/workflows/deploy.yml@${{ github.ref }}"
           "/tmp/sbom.spdx.json"
 
+  # SLSA Build Level 3 Provenance
+  # See https://github.com/slsa-framework/slsa-github-generator
+  enterprise-provenance:
+    needs: enterprise-cosign
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: ghcr.io/${{ github.repository_owner }}/one-enterprise
+      digest: ${{ needs.enterprise-cosign.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
   release:
     needs: docker-multi-arch
     runs-on: ubuntu-latest

docs/commercial.md

@@ -72,6 +72,16 @@ supply chain security and regulatory compliance capabilities:
   FIPS provider (`openssl-provider-fips`) for all cryptographic operations,
   supporting organizations that require FIPS 140 compliance.
 
+- **SLSA Build Level 3 Provenance.** Each Enterprise release publishes a
+  [SLSA v1.0](https://slsa.dev/spec/v1.0/) Provenance attestation that
+  describes how the image was built, including the source repository, the
+  exact commit, the workflow invocation, and the runner identity. The
+  attestation is generated and signed by GitHub Actions through Sigstore on
+  a hardened, isolated build platform, satisfying the SLSA Build Level 3
+  non-forgeability requirements and providing verifiable evidence of build
+  integrity for supply chain audits and regulatory frameworks such as the
+  NIST Secure Software Development Framework (SSDF).
+
 ### Verifying Image Signatures
 
 You can verify that an Enterprise container image was built and signed by
@@ -98,6 +108,20 @@ cosign verify-attestation --type spdx \
   | jq -r '.payload' | base64 -d | jq '.predicate'
 ```
 
+### Verifying Build Provenance
+
+The SLSA Build Level 3 Provenance attestation can be verified using
+[`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier), which
+checks both the Sigstore signature and that the provenance references the
+expected source repository and tag. For example:
+
+```sh
+slsa-verifier verify-image \
+  ghcr.io/sourcemeta/one-enterprise:v6.2.0 \
+  --source-uri github.com/sourcemeta/one \
+  --source-tag v6.2.0
+```
+
 ## Our Commitment to Excellence
 
 Sourcemeta is led by a member of the JSON Schema Technical Steering Committee,