Your organization develops software involved in many open-source projects and is concerned about software supply chain threats. You need to generate build provenance to demonstrate that the software has not been tampered with.

What should you do?