[discussion] Revamp and Modernize SLSA Build Track Tooling #4451
Description
We have received funding by the OpenSSF TI fund to update the SLSA Build Track tooling. Over the next few quarters, @puerco will be working on updating the slsa-github-generator and slsa-verifier tooling. The goals of this initiative are to identify areas for improvement, make the tooling more maintainable, leverage existing tooling for core features (for example, using GitHub's artifact attestations for slsa-github-generator), and make the tooling more extensible (for example, support the source track and future tracks in slsa-verifier.
For slsa-github-generator, the current proposal is to provide SLSA Build L3-compliant reusable workflows, leveraging GitHub's Artifact Attestations feature. As the first phase of this work, we will identify if there are any other features that cannot be implemented using Artifact Attestations and determine what should be deprecated or continue to be supported.
Let us know if you have any questions!