Provenance

Every attestation carries where it came from.

Builds run on GitHub-hosted runners and authenticate with a GitHub Actions OIDC token, which proves the repository, commit, and run that produced the output. Vega records that provenance with each attestation and in the transparency log.