build(build): replace SLSA attestation with actions/attest

[WilliamBerryiii]

Replaced the slsa-framework/slsa-github-generator reusable workflow with GitHub Actions native attestation tools in the documentation deployment pipeline. The new attestation job uses actions/attest-build-provenance for build provenance and anchore/sbom-action paired with actions/attest for SBOM generation and attestation. This removes the tag-based pinning exception that SLSA required and brings all attestation actions under SHA-pinned compliance.

Description

Workflow Attestation Replacement

The pages-deploy.yml workflow's slsa-attestation job was replaced with a new attest-documentation job. The new job downloads the build artifact, attests build provenance via actions/attest-build-provenance@v2.3.0, then performs a sparse checkout of .syft.yaml to generate an SPDX 2.3 SBOM through anchore/sbom-action@v0.20.0, and attests the SBOM with actions/attest@v2.3.0. The complex base64-encoded hash generation step previously required by the SLSA generator was removed entirely. The deploy job dependency was updated from [build, slsa-attestation] to [build, attest-documentation], and the attestation job remains gated to production deployments only.

Permission and Security Policy Updates

Added attestations: write permission in both main.yml (caller workflow) and pages-deploy.yml (called workflow) to support the new attestation actions. Removed the SLSA exception section from ACTIONS-SECURITY.md since tag-based pinning is no longer needed, and simplified the compliance verification grep by removing the slsa-framework exclusion.

New Configuration and SHA Pinning

Added .syft.yaml configuring Syft for SPDX 2.3 JSON output with four catalogers (javascript, python, go, rust-cargo), sha256 digests, and a 1 MB file-size skip threshold. Registered SHA pins in Update-ActionSHAPinning.ps1 for all three new actions: actions/attest@v2 (v2.3.0), actions/attest-build-provenance@v2 (v2.3.0), and anchore/sbom-action@v0 (v0.20.0).

Related Issue

Related to #100

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Blueprint modification or addition
• Component modification or addition
• Documentation update
• CI/CD pipeline change
• Other (please describe):

Implementation Details

Replaced the SLSA reusable workflow approach with three discrete GitHub Actions that run as steps within a single job:

1. Build provenance attestation — actions/attest-build-provenance@v2.3.0 attests the downloaded documentation artifact directly, removing the need for base64-encoded hash computation.
2. SBOM generation — anchore/sbom-action@v0.20.0 produces an SPDX 2.3 JSON SBOM guided by .syft.yaml, which specifies catalogers for the project's four language ecosystems.
3. SBOM attestation — actions/attest@v2.3.0 attests the generated SBOM as a secondary attestation artifact.

The sparse checkout of .syft.yaml in the attestation job minimizes the checkout footprint. All new actions are SHA-pinned in Update-ActionSHAPinning.ps1 and the actions/checkout step reuses the same SHA pin (v6.0.2) already present in the build job.

Testing Performed

• Terraform plan/apply
• Blueprint deployment test
• Unit tests
• Integration tests
• Bug fix includes regression test (see Test Policy)
• Manual validation
• Other:

Validation Steps

1. Verify no orphaned SLSA references remain: grep -r "slsa" .github/
2. Confirm all new action SHAs in workflow files match entries in scripts/security/Update-ActionSHAPinning.ps1
3. Confirm attestations: write permission is present in both main.yml and pages-deploy.yml
4. Verify .syft.yaml catalogers cover the project's language ecosystems (JavaScript, Python, Go, Rust)

Checklist

• I have updated the documentation accordingly
• I have added tests to cover my changes
• All new and existing tests passed
• I have run terraform fmt on all Terraform code
• I have run terraform validate on all Terraform code
• I have run az bicep format on all Bicep code
• I have run az bicep build to validate all Bicep code
• I have checked for any sensitive data/tokens that should not be committed
• I have run MegaLinter on my code (mega-linter-runner)

Additional Notes

• Terraform and Bicep checklist items are not applicable — this PR modifies only CI/CD workflows, security documentation, and configuration files.
• The SLSA exception removal from ACTIONS-SECURITY.md simplifies future compliance verification since all actions are now SHA-pinned uniformly.

Screenshots (if applicable)

N/A

[katriendg]

Minor comment, also did I see correctly that the application matrix build workflow is mentioned in the original issue and not updated (still used SLSA), but addressed in a subsequent issue?