Add individual job artifacts to the SLSA provenance subject
Release notes
#546150 (closed) creates provenance statements, but the subject in said statement only contains the artifact archive itself. This issue is for adding the artifacts themselves to the subject. The subject is a set and therefore we can add elements to the array.
Set of software artifacts that the attestation applies to. Each element represents a single software artifact. Each element MUST have digest set.
Subjects are assumed to be immutable, i.e. the artifacts identified by the subject SHOULD NOT change.
The name field may be used as an identifier to distinguish this artifact from others within the subject. Similarly, other ResourceDescriptor fields may be used as required by the context. The semantics are up to the producer and consumer and they MAY use them when evaluating policy. If the name is not meaningful, leave the field unset or use "_". For example, a SLSA Provenance attestation might use the name to specify output filename, expecting the consumer to only consider entries with a particular name. Alternatively, a vulnerability scan attestation might leave name unset because the results apply regardless of what the artifact is named.
If set, name and uri SHOULD be unique within subject.