Document for which SLSA Levels this approach can (and can not) be used

[raboof]

The README mentions this action is applicable for SLSA level 1. This might be a good place to document what would be necessary for further SLSA levels.

Looking at the Requirements it looks like this approach could also be used for L2, and that the main things missing would be:

• signing the provenance document (assuming 'the service generating the provenance' is allowed to be the builder?)
• perhaps identifying the source repo and tag/commit more specifically

For L3, it might be the approach no longer suffices, because of the non-falsifiability requirement that specifies the user-defined build steps have no access to the provenance signing key. Of course in GitHub Actions you can make a secret available to only specific steps, but I'm not sure that is sufficient isolation?

[loosebazooka]

this project is mostly superseded by https://github.com/slsa-framework/slsa-github-generator-go and similar tooling