Supply chain Layers for Software Artifacts (SLSA) is a framework of tools to generate and verify provenance for software artifacts. In the Python ecosystem there are two main types of software artifacts: wheels and source distributions.
NOTE: This article primarily covers Python projects which are hosted on GitHub. The SLSA framework works out of the box with GitHub Actions and GitHub OpenID Connect with minimal configuration. You can use the SLSA framework without using GitHub, but will potentially require more configuration.
Below To the right is what the end-to-end workflow for both maintainers and users looks like going from building the distributions, creating a provenance attestation, publishing to PyPI, and installing a wheel after verifying its provenance. Let's walk through each step together!
If you're curious about terminology or processes for Python packaging the Python Packaging User Guide is the definitive place to learn more.