Per docs/v1-rc1-operational-gaps.md §1 SLSA L3, remediation step 3.
Work: in .github/workflows/release.yml:423, the ko-publish job sets KO_DOCKER_REPO: ghcr.io/tracecoreai/tracecore at the env-line level. SLSA L3 requires parameterless builds: hardcode the value at the step level rather than the job env to satisfy "no operator-supplied build parameters that change the produced artifact".
Acceptance: grep KO_DOCKER_REPO .github/workflows/release.yml returns only step-scoped occurrences; provenance predicate buildDefinition.resolvedDependencies is unchanged.
Effort: S (1-line move).
Per
docs/v1-rc1-operational-gaps.md§1 SLSA L3, remediation step 3.Work: in
.github/workflows/release.yml:423, theko-publishjob setsKO_DOCKER_REPO: ghcr.io/tracecoreai/tracecoreat the env-line level. SLSA L3 requires parameterless builds: hardcode the value at the step level rather than the job env to satisfy "no operator-supplied build parameters that change the produced artifact".Acceptance:
grep KO_DOCKER_REPO .github/workflows/release.ymlreturns only step-scoped occurrences; provenance predicatebuildDefinition.resolvedDependenciesis unchanged.Effort: S (1-line move).