consider use in-toto-golang library for provenance spec
We (@developer-guy) just noticed that in current implementation of attestation generation, gitlab-runner uses non-standard custom spec as we can see here: https://gitlab.com/gitlab-org/gitlab-runner/-/blob/main/commands/helpers/artifact_metadata.go#L18-24
We should use predefined v0.2 spec instead: https://github.com/in-toto/in-toto-golang/blob/master/in_toto/slsa_provenance/v0.2/provenance.go
You can find the similar effort in cosign: https://github.com/sigstore/cosign/blob/main/pkg/cosign/attestation/attestation.go
Are there any particular reason why we prefer custom implementation instead of to use in-toto spec?
Edited by Furkan Türkal