Align with SLSA3+ for verifiable provenance

[achrinza]

see: https://github.com/slsa-framework/slsa-github-generator/blob/3d27f18a67e12a251517ca9af35771a93da39526/internal/builders/generic/README.md
see: https://security.googleblog.com/2022/04/improving-software-supply-chain.html

[achrinza]

There are three ways to achieve SLSA levels of assurance:

Method	SLSA Security Level	SLSA Provenance Statement Version	Accepted by NPM Registry?	Status
Standalone npm provenance	Build L2	v1.0	Yes	Stable
SLSA Node.js Builder	Build L3	v0.2	Yes	Beta
GitHub Artifact Attestation	Build L2	???	???	???

SLSA Build L2 vs L3

SLSA Build L2 only guarantees the authenticity of subject of the provenance document - This means that we can only guarantee that the provenance was created within a Github-hosted runner, but we can't guarantee that the contents of the provenance is accurate. This meaans that L2 is useful for preventing post-build tamper, but not during-build tamper.

SLSA Build L3 extends L2 by enforcing during-build tamper through a security boundary. This makes the provenance unforgeable.

Standalone npm provenance

#TODO

SLSA Node.js Builder

This is an "official" builder which is builds on the BYOB framework.

Limitations

• [feature][nodejs] Cache node dependencies slsa-framework/slsa-github-generator#1679
• [feature][nodejs] SLSA v1.0 support slsa-framework/slsa-github-generator#2499
• Feature: only accept reusable workflow pinned by version slsa-framework/slsa-verifier#12
  see also: https://github.com/slsa-framework/slsa-github-generator/blob/9f6e07629b3958792b6a8fc59999d6dc65862f11/RENOVATE.md

GitHub Artifact Attestation

#TODO
see: slsa-framework/slsa-github-generator#3618 (comment)

General Limitations

• Pending release: GitHub Actions Immutable Actions
  see: https://github.com/orgs/community/discussions/123969
  see: https://github.com/orgs/community/discussions/138249