Supply-Chain Hardening: SLSA-Aligned Build Pipeline for an Apache Project
Overview
What this challenge is about.
Audit the project's current release pipeline (GitHub Actions, release-script). Map the current state against the SLSA v1.0 requirements (source, build, provenance, dependencies). Implement: hermetic builds (vendored deps, pinned toolchain), provenance attestations via slsa-github-generator, Sigstore-signed artifacts, two-person review on release PRs, and an SBOM published with each release. Deliver: 12-page hardening plan with target SLSA level, GitHub Actions workflow changes (PR-ready), 6-page maintainer operator runbook covering provenance verification and key rotation, and an Apache-style announcement draft for the project's mailing list.
The Brief
What you'll do, and what you'll demonstrate.
Harden an Apache project's release pipeline to SLSA level 3 alignment with Sigstore-signed artifacts and provenance attestations.
Earning criteria — what you'll demonstrate
- Map a release pipeline against SLSA v1.0 requirements
- Implement Sigstore signing and provenance attestations end-to-end
- Design a two-person release process that maintainers will honor
- Communicate a supply-chain change to an Apache community on its terms
Program Fit
Where this fits in your program.
Sharpens the same skills your degree expects you to demonstrate.
Skills
Skills you'll demonstrate.
Each one shows up on your verified credential.
Careers
Roles this prepares you for.
Real titles. Real skill bridges. Pick the one closest to your trajectory.
Career mappings coming soon.