Document GitLab SLSA provenance, link from buildType

Why are we doing this work

The gitLab runner can generate SLSA 1.0 provenance statements, and the provenance statement format is currently documented as the Provenance Metadata Format. However, the documentation is incomplete, and it's not correctly referenced in the buildType field of the provenance.

See https://slsa.dev/spec/v1.0/provenance#builddefinition

buildType

Identifies the template for how to perform the build and interpret the parameters and dependencies.

The URI SHOULD resolve to a human-readable specification that includes: overall description of the build type; schema for externalParameters and internalParameters; unambiguous instructions for how to initiate the build given this BuildDefinition, and a complete example. Example: https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1

Further details

See https://docs.gitlab.com/ci/runners/configure_runners/#provenance-metadata-format

Field	Value
predicate.buildDefinition.buildType	https://gitlab.com/gitlab-org/gitlab-runner/-/blob/{GITLAB_RUNNER_VERSION}/PROVENANCE.md. For example, v15.0.0

PROVENANCE.md doesn't document any field. Besides, it still claims that SLSA v0.2 is supported, which is no longer the case.

Relevant links

Non-functional requirements

Documentation:
Feature flag:
Performance:
Testing:

Implementation plan

Publish a page that identifies the template for how to perform the build and interpret the parameters and dependencies.
Set the buildType field of the provenance statement so that it links to that page.

Verification steps

Generate a provenance attestation.
Check the page referenced by the buildType field.
Make sure it's consistent and complete. See https://slsa.dev/spec/v1.0/provenance#builddefinition

Edited Jul 30, 2025 by Sam Roque-Worcel