Record attestations

[andrew]

note: This is a bit of a placeholder issue right now as I need to do more research in this space.

Multiple package managers now support trusted publishing and are generating attestations and making them available via APIs, we can record them against packages/versions.

There's also attestations in GitHub and GitLab at a repository level that we can store too, which will be a feature in https://github.com/ecosyste-ms/repos/

Will expand on this issue soon.

[sivanahamer]

Hi! Adding info on some ecosystems that have added attestations (that I know of for the moment):

• GitHub: https://docs.github.com/en/actions/concepts/security/artifact-attestations
• npm: https://docs.npmjs.com/generating-provenance-statements
• PyPi: https://docs.pypi.org/attestations/producing-attestations/
• Docker: https://docs.docker.com/build/metadata/attestations/

I also know that deps.dev tracks attestations for some package managers. Additionally, for what needs to be stored, ideally, we would be able to collect/recreate Sigstore Bundles (https://docs.sigstore.dev/about/bundle/) that contain both provenance (who signed what and when) + attestation predicate (details of what is being signed).