feat: Producing SLSA provenance for reproducible builds using Hermit

[asraa]

Feature Description

Hey! This is more of a request for a colaboration. Our team works on creating tools for SLSA provenance (SLSA is a project aimed at improving software supply chain integrity by producing verifiable provenance about the origin of the software and integrating it inside the software delivery pipeline).

We've been developing a container based provenance GitHub workflow that is able to produce verifiable and non-forgeable provenance for a build that uses a container base image and a specified script/command to run. This work is being done to support Project Oak's transparent release -- which aims to enhance remote attestations in TEEs with transparent, verifiable binary provenance.

The workflow creates provenance that is isolated from both the user and the build process, in order to produce provenance that could not have been manipulated (assuming trust in the workflow). The provenance record contains information needed for a verifier to reproduce the build -- and we have developed tools to support reproducibility.

Using Hermit inside a base image to create the build would hopefully provide a fully deterministic build.

Feature purpose and use cases
We'd like to demo or showcase the usage of Hermit inside a base image to produce a fully deterministic build output with verifiable build provenance.

We're wondering if (1) you have considered build provenance, and (2) if you would be interested in demonstrating usage of these tools together for demos and example.

cc @rbehjati @laurentsimon