OSSF Silver Criterion
documentation_security (SHOULD) — The project SHOULD document how consumers can verify the integrity and provenance of released artifacts.
Description
Create a docs/security/ directory with consumer-facing documentation covering attestation verification, SBOM inspection, tag signature verification, and a security overview index. This is the capstone documentation deliverable for the v2.8.0 supply chain security milestone — it makes attestation and signing capabilities discoverable and usable by downstream consumers.
Acceptance Criteria
Cross-Repo Alignment
- hve-core: Has
docs/security/ with attestation verification guide — use as reference template
- physical-ai-toolchain: Consumer verification documented inline in release notes — this issue formalizes that pattern
Dependencies
OSSF Silver Criterion
documentation_security(SHOULD) — The project SHOULD document how consumers can verify the integrity and provenance of released artifacts.Description
Create a
docs/security/directory with consumer-facing documentation covering attestation verification, SBOM inspection, tag signature verification, and a security overview index. This is the capstone documentation deliverable for the v2.8.0 supply chain security milestone — it makes attestation and signing capabilities discoverable and usable by downstream consumers.Acceptance Criteria
docs/security/README.mdcreated with security overview and verification indexdocs/security/attestation-verification.md— how to verify build provenance withgh attestation verifydocs/security/sbom-verification.md— how to inspect SPDX-JSON SBOMs generated byanchore/sbom-actiondocs/security/tag-signature-verification.md— how to verify gitsign-signed release tagsdocs/security/container-verification.md— how to verify container image attestationsSECURITY.mdenhanced with "What Gets Signed" attestation summary (reference: hve-core pattern)Cross-Repo Alignment
docs/security/with attestation verification guide — use as reference templateDependencies