SLSA Level 2: what build provenance is and why it isn't SBOM
SLSA Level 2 in practice: how build provenance differs from an SBOM, why L2 is a realistic target, how the GitLab Runner itself generates a non-forgeable attestation, and how to verify it with glab/cosign and at admission.
