Google team had tackled this problem for GCP and the internal technical infrastructure: [1].
It was a surprisingly hard problem, because the enforcement of build security is so widely effecting that to plug the little holes becomes a major company wide effort.
I’m currently contributing to an open source project that aims to tackle the chain of custody and ensuring steps happened by trusted functionaries. It’s a very interesting problem to be working on but the more you dig in the more you realize how daunting and terrifying the problem set is.
It was a surprisingly hard problem, because the enforcement of build security is so widely effecting that to plug the little holes becomes a major company wide effort.
[1] https://cloud.google.com/security/binary-authorization-for-b...