### Topic to Evaluate Define a UX for enabling SLSA provenance generation. Note: Right now https://gitlab.com/groups/gitlab-org/-/epics/17702+ doesn't assume anything, and implementation relies on feature flags to selectively enable SLSA provenance generation. __Depending on the UX we choose__, users might to configure when SLSA provenance is generated. Possible targets are: - provenance attestation and/or statement only - job, pipeline, or entire project - artifact type - artifact It could apply to all artifacts uploaded by all pipelines of a given project. We might also consider if the UX makes it possible to later enable generation for SLSA predicates other than the SLSA provenance, like the [CycloneDX predicate](https://github.com/in-toto/attestation/blob/v1.1.1/spec/predicates/cyclonedx.md). This predicate would be uploaded by the CI/CD job. (This doesn't violate SLSA L3 requirements since it's not the provenance.) ### Tasks prior to evaluation - [x] Clearly document the topic to evaluated in this issue description - [x] Determine specific scope including time-bounds for investigation ### Tasks to Evaluate - [x] List possible UX - [ ] Compare these options - [ ] Select one - [ ] Create implementation issues