Gregory's Server
Now, you say, you have to trust GitHub? Sure, you do, to achieve this. But threat models: What is more likely compromised: a maintainer/account in your project, or the whole GitHub build infra?
Personally, I was also not quite convinced, given you loose "control" over your build and GitHub could theoretically now inject #malware.
However, as the project itself states, this is not a big deal, if you combine it with the older security feature aka #reproduciblebuilds.
https://slsa.dev/spec/v1.0/faq#q-what-about-reproducible-builds
To explain, we have #SLSA signatures that verify the build was done automatically by #GitHub as instructed, *and* we have traditional #gpg signatures with private keys only known to maintainer(s) that verify a maintainer actually triggered the built and locally reproduced it…
Given they both validate, you automatically achieve reproducible builds _and_ #SLSA validity.
One caveat: This was only easy, because our build process is essentially one command (git archive).
https://github.com/PrivateBin/PrivateBin/blob/master/doc/Release.md
To explain, we have #SLSA signatures that verify the build was done automatically by #GitHub as instructed, *and* we have traditional #gpg signatures with private keys only known to maintainer(s) that verify a maintainer actually triggered the built and locally reproduced it…
Given they both validate, you automatically achieve reproducible builds _and_ #SLSA validity.