SLSA 2 Compliance

[upodroid]

https://slsa.dev/spec/v0.1/requirements

In addition to #3440, we need to meet the following for SLSA 2:

Source:

• Version controlled: Every change to the source is tracked in a version control system that meets the following requirements: [Change history] There exists a record of the history of changes that went into the revision. Each change must contain: the identities of the uploader and reviewers (if any), timestamps of the reviews (if any) and submission, the change description/justification, the content of the change, and the parent revisions. [Immutable reference] There exists a way to indefinitely reference this particular, immutable revision. In git, this is the {repo URL + branch/tag/ref + commit ID}. ✅

Build:

• Build Service: All build steps ran using some build service, not on a developer’s workstation. ✅

Provenance:

• Authenticated: The provenance’s authenticity and integrity can be verified by the consumer. This SHOULD be through a digital signature from a private key accessible only to the service generating the provenance.
• Service Generated: The data in the provenance MUST be obtained from the build service (either because the generator is the build service or because the provenance generator reads the data directly from the build service).
• Identifies source code: The provenance identifies the repository origin(s) for the source code used in the build.

/kind security
/priority important-soon

[upodroid]

/lifecycle stale

[upodroid]

/remove-lifecycle stale

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

[upodroid]

/transfer knative/infra