Add SLSA source provenance workflow and VSA integration

[spoorcc]

New source-provenance.yml workflow runs on push to main, creates a
deterministic git archive, and attests it with SLSA build provenance.

build.yml gains four steps after existing provenance attestations:
generate source archive, verify source provenance (continue-on-error),
generate SLSA VSA predicate, and attest binary artifacts with it.
VSA steps are skipped gracefully when source attestation is absent
(e.g. race on push, non-main commits).

https://claude.ai/code/session_01TGzde6LDNw9q7aK9JE5jGf

Summary by CodeRabbit

• New Features

  • Builds now produce and verify source archives and, when verification succeeds, attach a Verification Summary Attestation (VSA) to release binaries.

• Documentation

  • Installation guide updated with VSA verification commands for Linux, macOS, and Windows and guidance when VSA is absent.

• Chores

  • CI updated to run source-provenance steps, gate builds on their result, and restrict runner network egress during provenance generation.

[coderabbitai]

Warning

Rate limit exceeded

@spoorcc has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 51 minutes and 7 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c78d3fb7-38fd-4d1b-807a-050ace90b837

📥 Commits

Reviewing files that changed from the base of the PR and between e0c71a3 and 6bca1b7.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• .github/workflows/source-provenance.yml
• doc/tutorials/installation.rst

Walkthrough

Adds a reusable Source Provenance workflow, wires CI to run it, extends the build job to verify source provenance and optionally generate/use a Verification Summary Attestation (VSA) predicate to attest built artifacts, and documents VSA verification in the installation guide.

Changes

SLSA Source Provenance and Attestation

Layer / File(s)	Summary
Source provenance workflow .github/workflows/source-provenance.yml	New reusable workflow: minimal permissions, egress allowlist, checkout without persisted credentials, create source.tar.gz via git archive, generate and verify SLSA source provenance, upload source-archive.
CI integration .github/workflows/ci.yml	Adds source-provenance job (skips PRs) and updates build job needs and if so build waits for and only proceeds if source-provenance did not fail.
Build job: source verify and VSA attestation .github/workflows/build.yml	build job downloads source-archive (allowed to fail), conditionally runs gh attestation verify on the archive, generates vsa-predicate.json when verification passes, and conditionally attests built binaries with actions/attest using https://slsa.dev/verification_summary/v1.
Docs: installation verification doc/tutorials/installation.rst	Adds Verification Summary Attestation (VSA) to the “Verifying release integrity” section and OS-specific gh attestation verify commands for Linux, macOS, and Windows; notes fallback to build-provenance and SBOM if VSA is absent.

Sequence Diagram(s)

sequenceDiagram
  participant CI as CI Workflow (.github/workflows/ci.yml)
  participant Prov as Source Provenance Workflow
  participant Build as Build Job
  participant Verify as gh attestation verify
  participant Attest as actions/attest
  participant Artifacts as Actions Artifact Upload

  CI->>Prov: invoke (non-PR, minimal perms)
  Prov->>Artifacts: upload source-archive (source.tar.gz)
  CI->>Build: needs satisfied (includes source-provenance)
  Build->>Artifacts: download source-archive (continue-on-error allowed)
  alt source provenance artifact present
    Build->>Verify: gh attestation verify (SLSA source provenance)
    alt verify succeeds
      Build->>Build: generate vsa-predicate.json (jq)
      Build->>Attest: actions/attest with verification_summary/v1 predicate
      Attest-->>Artifacts: produce artifact attestations
    else verify fails
      Build-->>Build: continue without VSA attestation
    end
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• dfetch-org/dfetch#1190: Related updates to build attestation verification and docs around gh attestation verify and predicates.
• dfetch-org/dfetch#1176: Related changes to .github/workflows/build.yml adding/adjusting actions/attest-based artifact attestation steps.
• dfetch-org/dfetch#904: Related CI orchestration/workflow wiring affecting prep-release/build job structure.

Suggested labels

github_actions, development

Suggested reviewers

• ben-edna

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding a SLSA source provenance workflow and integrating VSA (Verification Summary Attestation) into the build process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/add-slsa-provenance-vsa-hXTNK

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 197-209: The predicate currently sets resourceUri to the Git
commit and claims verifiedLevels: ["SLSA_BUILD_LEVEL_3"] while the VSA subjects
are binary packages; change resourceUri to reference the actual artifact URIs
for the binary subjects (e.g., the .deb/.rpm/.pkg/.msi locations or storage URLs
listed as subjects) and remove/replace the incorrect build-level claim: do not
assert "SLSA_BUILD_LEVEL_3" since no binary build verification was
performed—instead set verifiedLevels to the appropriate source-provenance
indicator or omit the SLSA build level entirely; ensure
verificationResult/inputAttestations remain consistent with this lower assurance
level and keep verifier/timeVerified fields as-is.
- Around line 178-192: The verification fails because the build job re-generates
source.tar.gz with git archive (and the verify step id: verify-source uses gh
attestation verify) which produces non-deterministic bytes across
ubuntu/macos/windows; stop regenerating the archive on each runner and instead
fetch the exact artifact produced by the source-provenance workflow (or move the
gh attestation verify step into source-provenance.yml where the original archive
was created). Concretely: remove/avoid the git archive --format=tar.gz step and
change the verify-source step to download the canonical source.tar.gz artifact
(or relocate the verify-source gh attestation verify invocation into
source-provenance.yml) so gh attestation verify runs against the byte-identical
file that the attestation covers; also remove continue-on-error: true so
failures surface.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: ec2ef941-369c-4391-9f69-051e62d51ec9

📥 Commits

Reviewing files that changed from the base of the PR and between 98352d4 and 225ca98.

📒 Files selected for processing (2)

• .github/workflows/build.yml
• .github/workflows/source-provenance.yml

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 33-35: The build job's conditional uses always(), which bypasses
the prep-release failure gate and allows build to run with an empty
needs.prep-release.outputs.release_id; remove always() and make the if
explicitly require prep-release to not have failed (e.g. use if:
needs.prep-release.result != 'failure' && needs.source-provenance.result !=
'failure') on the build job so prep-release failures/cancels block build while
still allowing source-provenance to be skipped.

In @.github/workflows/source-provenance.yml:
- Around line 48-56: The Verify step uses a hardcoded --cert-identity that only
matches refs/heads/main, so tag-triggered runs will fail; update the gh
attestation verify invocation (the command using gh attestation verify
source.tar.gz) to replace the fixed --cert-identity with a regex-based identity
flag (--cert-identity-regex) that accepts either refs/heads/main or
refs/tags/<semver> (e.g., a regex matching
refs/heads/main|refs/tags/[0-9]+\.[0-9]+\.[0-9]+) so the certificate SAN from
tag and branch runs will both validate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: a513a655-cd39-4719-9d5d-eb5a8db150e9

📥 Commits

Reviewing files that changed from the base of the PR and between 225ca98 and f28f480.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• .github/workflows/source-provenance.yml
• doc/tutorials/installation.rst

[spoorcc]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/source-provenance.yml:
- Line 6: The tags trigger is using a regex-like string '[0-9]+.[0-9]+.[0-9]+'
under the tags key which GitHub Actions expects glob patterns; replace that
pattern with a glob such as '*.*.*' (or 'v*.*.*' if your tags include a leading
"v") so semver tags like 1.2.3 will match, update the tags entry accordingly,
and commit the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 34bbfa9f-a0cb-44c0-bcef-593e2117eed5

📥 Commits

Reviewing files that changed from the base of the PR and between f28f480 and e0c71a3.

📒 Files selected for processing (4)

• .github/workflows/build.yml
• .github/workflows/ci.yml
• .github/workflows/source-provenance.yml
• doc/tutorials/installation.rst