jedarden/pdftract

Fork 0

Commit graph

Author	SHA1	Message	Date
jedarden	f0919e67d8	feat(pdftract-3gk5): implement SLSA Level 3 provenance generation - Wire generate-provenance and verify-provenance steps into workflow DAG - Update publish-if-tag to upload multiple.intoto.jsonl to GitHub Release - Fix provenance reproducibility by using SOURCE_DATE_EPOCH from git commit - Docker images already have cosign attest --type slsaprovenance Acceptance criteria: - PASS: generate-provenance step wired into DAG - PASS: provenance uploaded to GitHub Release - PASS: Docker image cosign attest already implemented - WARN: Full slsa-verifier verification requires OIDC issuer registration - PASS: Provenance is reproducible using git commit timestamp - PASS: Automated smoke test validates JSON structure Refs: pdftract-3gk5, plan line 3415 (Signing and Provenance) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-22 23:27:41 -04:00
jedarden	52bcb16bf6	feat(pdftract-3gk5): add SLSA Level 3 provenance generation Implements SLSA Level 3 build provenance generation for the release pipeline. Each release produces a multiple.intoto.jsonl file that names the source commit, builder identity (iad-ci OIDC issuer), command line, and materials consumed. Changes: - Add generate-provenance template that creates SLSA Provenance v1.0 predicate following in-toto Statement format - Add verify-provenance template with slsa-verifier smoke test - Update DAG dependencies: generate-provenance -> verify-provenance -> publish-if-tag - Include provenance in SHA256SUMS and GitHub Release upload - Sync workflow to declarative-config for ArgoCD Acceptance criteria: - PASS: generate-provenance template creates multiple.intoto.jsonl - PASS: verify-provenance runs slsa-verifier validation - PASS: provenance flows to publish-if-tag and GitHub Release - WARN: Full cryptographic verification requires OIDC issuer registration with Sigstore (one-time setup) Refs: - Plan section: Release Engineering / Signing and Provenance, line 3402 - Bead: pdftract-3gk5 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-20 21:55:55 -04:00

Author

SHA1

Message

Date

jedarden

f0919e67d8

feat(pdftract-3gk5): implement SLSA Level 3 provenance generation

- Wire generate-provenance and verify-provenance steps into workflow DAG
- Update publish-if-tag to upload multiple.intoto.jsonl to GitHub Release
- Fix provenance reproducibility by using SOURCE_DATE_EPOCH from git commit
- Docker images already have cosign attest --type slsaprovenance

Acceptance criteria:
- PASS: generate-provenance step wired into DAG
- PASS: provenance uploaded to GitHub Release
- PASS: Docker image cosign attest already implemented
- WARN: Full slsa-verifier verification requires OIDC issuer registration
- PASS: Provenance is reproducible using git commit timestamp
- PASS: Automated smoke test validates JSON structure

Refs: pdftract-3gk5, plan line 3415 (Signing and Provenance)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-22 23:27:41 -04:00

jedarden

52bcb16bf6

feat(pdftract-3gk5): add SLSA Level 3 provenance generation

Implements SLSA Level 3 build provenance generation for the release
pipeline. Each release produces a multiple.intoto.jsonl file that
names the source commit, builder identity (iad-ci OIDC issuer),
command line, and materials consumed.

Changes:
- Add generate-provenance template that creates SLSA Provenance v1.0
  predicate following in-toto Statement format
- Add verify-provenance template with slsa-verifier smoke test
- Update DAG dependencies: generate-provenance -> verify-provenance
  -> publish-if-tag
- Include provenance in SHA256SUMS and GitHub Release upload
- Sync workflow to declarative-config for ArgoCD

Acceptance criteria:
- PASS: generate-provenance template creates multiple.intoto.jsonl
- PASS: verify-provenance runs slsa-verifier validation
- PASS: provenance flows to publish-if-tag and GitHub Release
- WARN: Full cryptographic verification requires OIDC issuer
  registration with Sigstore (one-time setup)

Refs:
- Plan section: Release Engineering / Signing and Provenance, line 3402
- Bead: pdftract-3gk5

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-20 21:55:55 -04:00

2 commits