[Discussion] UX to enable SLSA provenance generation

Topic to Evaluate

Define a UX for enabling SLSA provenance generation.

Note: Right now Phase 2: Generate provenance statement in contr... (&17702) doesn't assume anything, and implementation relies on feature flags to selectively enable SLSA provenance generation.

Depending on the UX we choose, users might to configure when SLSA provenance is generated. Possible targets are:

• provenance attestation and/or statement only
• job, pipeline, or entire project
• artifact type
• artifact

It could apply to all artifacts uploaded by all pipelines of a given project.

We might also consider if the UX makes it possible to later enable generation for SLSA predicates other than the SLSA provenance, like the CycloneDX predicate. This predicate would be uploaded by the CI/CD job. (This doesn't violate SLSA L3 requirements since it's not the provenance.)

Tasks prior to evaluation

• Clearly document the topic to evaluated in this issue description
• Determine specific scope including time-bounds for investigation

Tasks to Evaluate

• List possible UX
• Compare these options
• Select one
• Create implementation issues