Cryptographically verify tools run as part of the CI/ CD pipeline

[varunsh-coder]

In the future harden-runner will verify checksum of tools run as part of the CI/ CD pipeline.

You can see the current limited experience for this feature on Supply Chain Goat.

Please share ideas on developer experience for this feature. e.g. Would you like the build to break if one of the components cannot be verified?

[stefreak]

I think it should be as secure as possible, while making sure it does not break many third party actions. So failing the build could be a good default in this case, if it doesn't turn out breaking many builds. You can collect data on this with audit mode.

It should always be possible to opt out or white list certain things. Maybe I need to build curl (or some other utility) myself to make it work for me – then it should be possible to opt out or white list my builds somehow