Attested Delivery
Every artifact provably identical to what was validated. No exceptions.
The core invariant
Section titled “The core invariant”An artifact reaches consumers only if it is byte-identical to what was validated, carries re-verifiable attestations (SLSA provenance, cosign signature, SBOM, vulnerability report), and publication is fail-closed gated on verification.
What you will find here
Section titled “What you will find here”- Concepts — ten focused articles on the design decisions behind attested delivery: digest identity, GitHub Flow, attestation survival across registry hops, admission enforcement, SLSA levels, SBOMs, supply-chain hazards, DORA, AI provenance, and pipeline observability.
- Specifications — formal specs for the promotion pipeline, interface contracts, production readiness gates, and GitHub-native quality gates.
- Architecture Decisions — eight ADRs recording the rationale behind every significant technical choice, from digest promotion to security tooling pins.