Supply chain security

[tupui]

What problem does your feature solve?

Linked to some discussions about supply chain https://github.com/orgs/stellar/discussions/1923. Compliance with SLSA Level 4 on source, build, provenance and distribution should be a target for all major repos distributing software. Unless I missed something, I think there are some things to do here.

What would you like to see?

Some easy lifts outlined below.

Source & build:

• GitHub workflow auditing https://github.com/zizmorcore/zizmor
• Enforce 2 approvals on releases using a dedicated env which must not have any caching, must pin using hashes, etc.

Provenance:

• https://github.com/actions/attest-build-provenance
• https://github.com/slsa-framework/slsa-github-generator

Distribution:

• https://crates.io/docs/trusted-publishing
• https://github.com/rust-lang/crates-io-auth-action

SBOM:

• https://github.com/aquasecurity/trivy generate both cycloneDX and spdx formats
• https://github.com/anchore/grype for automated analysis which can use the SBOMs

What alternatives are there?

Not an option IMO.