Repository rename tasks

.github/workflows/go-test.yml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+# SPDX-License-Identifier: Apache-2.0
+---
 name: Go Tests (sourcetool)
 
 on:

.github/workflows/local_attest.yml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+# SPDX-License-Identifier: Apache-2.0
+---
 name: SLSA Source
 on:
   push:

.github/workflows/release.yaml

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
+# SPDX-License-Identifier: Apache-2.0
+---
 name: release
 
 on:

.golangci.yaml

@@ -27,7 +27,7 @@ formatters:
       sections:
         - standard
         - default
-        - prefix(github.com/slsa-framework/slsa-source-poc)
+        - prefix(github.com/slsa-framework/source-tool)
 linters:
   enable:
     - asasalint

buf.gen.yaml

@@ -10,4 +10,4 @@ plugins:
     out: ./pkg
     opt: 
       - paths=import
-      - module=github.com/slsa-framework/slsa-source-poc/pkg
+      - module=github.com/slsa-framework/source-tool/pkg

docs/DESIGN.md

@@ -181,7 +181,7 @@ field in the policy then needs to be enabled too.
 TODO: In the future this tool could be updated to allow some subset of tags
 to be updated (e.g. `latest`, `nightly`), but that feature is not yet
 supported. Tracked
-[here](https://github.com/slsa-framework/slsa-source-poc/issues/129).
+[here](https://github.com/slsa-framework/source-tool/issues/129).
 
 The tag hygiene control is evaluated for _both_ branch updates and tag updates.
 
@@ -243,7 +243,7 @@ Source provenance covers changes to a branch.  It indicates:
       }
     }
   ],
-  "predicateType": "https://github.com/slsa-framework/slsa-source-poc/source-provenance/v1-draft",
+  "predicateType": "https://github.com/slsa-framework/source-tool/source-provenance/v1-draft",
   "predicate": {
     "activity_type": "pr_merge",
     "actor": "TomHennen",
@@ -268,7 +268,7 @@ Source provenance covers changes to a branch.  It indicates:
     ],
     "created_on": "2025-05-31T21:52:36.665624162Z",
     "prev_commit": "a224aa2d55884ef0cef78ccb498c3561ca240808",
-    "repo_uri": "https://github.com/slsa-framework/slsa-source-poc"
+    "repo_uri": "https://github.com/slsa-framework/source-tool"
   }
 }
 ```
@@ -306,7 +306,7 @@ Tag provenance records a tag creation event.  It indicates:
       }
     ],
     "created_on": "2025-06-01T21:46:21.698144672Z",
-    "repo_uri": "https://github.com/slsa-framework/slsa-source-poc",
+    "repo_uri": "https://github.com/slsa-framework/source-tool",
     "tag": "refs/tags/sourcetool/v0.5.1",
     "vsa_summaries": [
       {
@@ -326,8 +326,8 @@ Tag provenance records a tag creation event.  It indicates:
 
 ## Policy
 
-This PoC uses user supplied 'policy' files (stored in
-[a public git repo](https://github.com/slsa-framework/slsa-source-poc/tree/main/policy/github.com)
+This PoC uses user-supplied 'policy' files (stored in
+[a public git repo](https://github.com/slsa-framework/source-policies/tree/main/policy/github.com)
 outside of user control) to indicate what controls _ought_ to be enforced and when that
 enforcement should start.
 
@@ -340,7 +340,7 @@ This amounts to public declaration of SLSA adoption and allows backsliding to be
 
 ```json
 {
-  "canonical_repo": "https://github.com/slsa-framework/slsa-source-poc",
+  "canonical_repo": "https://github.com/slsa-framework/source-tool",
   "protected_branches": [
     {
       "Name": "main",
@@ -370,7 +370,7 @@ declaration by the org that all tags are protected.
 
 The tool does not yet support protecting only some tags. Adding support is
 tracked in
-[this issue](https://github.com/slsa-framework/slsa-source-poc/issues/129).
+[this issue](https://github.com/slsa-framework/source-tool/issues/129).
 
 ### Org Specified Properties
 
@@ -403,9 +403,9 @@ Example VSA
   "predicateType": "https://slsa.dev/verification_summary/v1",
   "predicate": {
     "policy": {
-      "uri": "https://github.com/slsa-framework/slsa-source-poc/blob/main/policy/github.com/slsa-framework/slsa-source-poc/source-policy.json"
+      "uri": "https://github.com/slsa-framework/source-policies/blob/main/policy/github.com/slsa-framework/source-tool/source-policy.json"
     },
-    "resourceUri": "git+https://github.com/slsa-framework/slsa-source-poc",
+    "resourceUri": "git+https://github.com/slsa-framework/source-tool",
     "timeVerified": "2025-06-01T21:51:51.451207508Z",
     "verificationResult": "PASSED",
     "verifiedLevels": [
@@ -414,7 +414,7 @@ Example VSA
       "ORG_SOURCE_TESTED"
     ],
     "verifier": {
-      "id": "https://github.com/slsa-framework/slsa-source-poc"
+      "id": "https://github.com/slsa-framework/source-tool"
     }
   }
 }

docs/REQUIREMENTS_MAPPING.md

@@ -10,33 +10,33 @@ as of June 21, 2025.
 ## Organization Requirements
 
 These requirements are primarily for the organization that is producing the
-source code. The `slsa-source-poc` tool helps organizations meet these
+source code. `source-tool` helps organizations meet these
 requirements when using GitHub as their Source Control System (SCS).
 
 ### [Choose an appropriate source control system](https://slsa.dev/spec/v1.2-rc1/source-requirements#choose-scs)
 
 **Required for: SLSA Source Level 1+**
 
 This requirement is for the organization to select an SCS that can meet their
-desired SLSA Source Level. The `slsa-source-poc` tool is designed specifically
+desired SLSA Source Level. `source-tool` is designed specifically
 for organizations using **GitHub**.
 
 ### [Protect consumable branches and tags](https://slsa.dev/spec/v1.2-rc1/source-requirements#protect-consumable-branches-and-tags)
 
 **Required for: SLSA Source Level 2+**
 
-The `slsa-source-poc` tool is designed around this principle.
+The SLSA source tool is designed around this principle.
 
 - **Policy:** Users define a
-  [policy file](https://github.com/slsa-framework/slsa-source-poc/blob/main/DESIGN.md#policy)
+  [policy file](DESIGN.md#policy)
   to specify which branches are protected and what their target SLSA level is.
   The policy also allows for specifying which tags should be protected.
 - **Identity Management:** The tool relies on GitHub's built-in
   [identity management](https://docs.github.com/en/get-started/learning-about-github/types-of-github-accounts#user-accounts)
   to configure which actors can perform sensitive actions.
 - **Technical Controls:** The tool enforces technical controls via GitHub's
   [rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository).
-  [DESIGN.md](https://github.com/slsa-framework/slsa-source-poc/blob/main/DESIGN.md)
+  [DESIGN.md](DESIGN.md)
   outlines several controls such as `CONTINUITY_ENFORCED`, `REVIEW_ENFORCED`,
   `TAG_HYGIENE`, and custom `GH_REQUIRED_CHECK_*` controls that map to
   organization-defined checks. These are included in the generated VSAs as
@@ -46,7 +46,7 @@ The `slsa-source-poc` tool is designed around this principle.
 
 **Required for: SLSA Source Level 2+**
 
-The `slsa-source-poc` tool does not provide a technical enforcement mechanism
+The SLSA source tool does not provide a technical enforcement mechanism
 for a safe expunging process. However, it recommends a process based on GitHub's
 features:
 
@@ -62,16 +62,15 @@ used only for safe expunging. This relies on organizational process.
 
 ## Source Control System Requirements
 
-These requirements are for the Source Control System itself. The
-`slsa-source-poc` tool leverages GitHub's capabilities to meet these
-requirements.
+These requirements are for the Source Control System itself. `source-tool`
+leverages GitHub's capabilities to meet these requirements.
 
 ### [Repositories are uniquely identifiable](https://slsa.dev/spec/v1.2-rc1/source-requirements#repository-ids)
 
 **Required for: SLSA Source Level 1+**
 
 The tool works with **GitHub repositories**, which are uniquely identified by
-their URL (e.g., `https://github.com/slsa-framework/slsa-source-poc`).
+their URL (e.g., `https://github.com/slsa-framework/source-tool`).
 
 ### [Revisions are immutable and uniquely identifiable](https://slsa.dev/spec/v1.2-rc1/source-requirements#revision-ids)
 
@@ -84,8 +83,8 @@ identified by their commit hash.
 
 **Required for: SLSA Source Level 1+**
 
-The `slsa-source-poc` tool generates
-[Verification Summary Attestations (VSAs)](https://github.com/slsa-framework/slsa-source-poc/blob/main/DESIGN.md#verification-summary-attestations-vsa)
+The SLSA Source tool generates
+[Verification Summary Attestations (VSAs)](DESIGN.md#verification-summary-attestations-vsa)
 for each commit on a protected branch. These VSAs indicate the SLSA Source Level
 of the revision. The tool uses its generated
 [source provenance](#source-provenance) to issue these VSAs for Level 3 and
@@ -97,7 +96,7 @@ can access the revision.
 **Required for: SLSA Source Level 2+**
 
 The tool requires users to specify protected branches in the
-[policy file](https://github.com/slsa-framework/slsa-source-poc/blob/main/DESIGN.md#policy).
+[policy file](DESIGN.md#policy).
 The tool's logic for determining SLSA levels is then applied to these branches.
 
 ### [History](https://slsa.dev/spec/v1.2-rc1/source-requirements#history)
@@ -113,7 +112,7 @@ tampering with the history of protected branches.
 
 **Required for: SLSA Source Level 2+**
 
-The `slsa-source-poc` tool enforces the change management process through a
+`source-tool` tool enforces the change management process through a
 combination of its policy file and GitHub's rulesets.
 
 - The tool checks for the enforcement of specific rules on protected branches.
@@ -128,12 +127,12 @@ combination of its policy file and GitHub's rulesets.
 
 **Required for: SLSA Source Level 2+**
 
-Continuity is a core concept in the `slsa-source-poc` design.
+Continuity is a core concept in the `source-tool` design.
 
 - The `CONTINUITY_ENFORCED` control ensures that history protection rules are
   continuously enforced.
 - The
-  [provenance-based approach](https://github.com/slsa-framework/slsa-source-poc/blob/main/DESIGN.md#provenance-based)
+  [provenance-based approach](DESIGN.md#provenance-based)
   is designed to track continuity of controls from one commit to the next. If a
   prior commit's provenance shows the same level of control, the start time of
   that control is carried forward. This ensures that there are no gaps in
@@ -149,7 +148,7 @@ require this for a given SLSA level.
 
 **Gap:** The tool does not yet support protecting only a subset of tags; the
 `tag_hygiene` setting applies to all tags. This is tracked in
-[issue #129](https://github.com/slsa-framework/slsa-source-poc/issues/129).
+[issue #129](https://github.com/slsa-framework/source-tool/issues/129).
 
 ### [Identity Management](https://slsa.dev/spec/v1.2-rc1/source-requirements#identity-management)
 
@@ -163,9 +162,9 @@ their GitHub user accounts.
 
 **Required for: SLSA Source Level 3+**
 
-For Level 3, the `slsa-source-poc` tool creates **source provenance
-attestations** for each push to a protected branch. The
-[design document](https://github.com/slsa-framework/slsa-source-poc/blob/main/DESIGN.md#source-provenance)
+For Level 3, `source-tool` creates **source provenance attestations** for each
+push to a protected branch. The
+[design document](DESIGN.md#source-provenance)
 specifies the format of these attestations, which include the actor, the current
 and previous commits, the controls in place, and timestamps.
 
@@ -179,8 +178,8 @@ anyone who can access the revision.
 
 **Required for: SLSA Source Level 4**
 
-For Level 4, the `slsa-source-poc` tool has a `REVIEW_ENFORCED` control. This
-control checks that the repository is configured to:
+For Level 4, `source-tool` has a `REVIEW_ENFORCED` control. This control checks
+that the repository is configured to:
 
 - Require Pull Requests.
 - Require at least one approval.

go.mod

@@ -1,4 +1,4 @@
-module github.com/slsa-framework/slsa-source-poc
+module github.com/slsa-framework/source-tool
 
 go 1.24.5
 

internal/cmd/audit.go

@@ -10,9 +10,9 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/attest"
-	"github.com/slsa-framework/slsa-source-poc/pkg/audit"
-	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
+	"github.com/slsa-framework/source-tool/pkg/attest"
+	"github.com/slsa-framework/source-tool/pkg/audit"
+	"github.com/slsa-framework/source-tool/pkg/ghcontrol"
 )
 
 type AuditMode int

internal/cmd/auth.go

@@ -11,7 +11,7 @@ import (
 	"github.com/fatih/color"
 	"github.com/spf13/cobra"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/auth"
+	"github.com/slsa-framework/source-tool/pkg/auth"
 )
 
 var colorHiRed = color.New(color.FgHiRed).SprintFunc()

internal/cmd/checklevel.go

@@ -11,9 +11,9 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/attest"
-	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
-	"github.com/slsa-framework/slsa-source-poc/pkg/policy"
+	"github.com/slsa-framework/source-tool/pkg/attest"
+	"github.com/slsa-framework/source-tool/pkg/ghcontrol"
+	"github.com/slsa-framework/source-tool/pkg/policy"
 )
 
 type checkLevelOpts struct {

internal/cmd/checklevelprov.go

@@ -13,10 +13,10 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/protobuf/encoding/protojson"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/attest"
-	"github.com/slsa-framework/slsa-source-poc/pkg/auth"
-	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
-	"github.com/slsa-framework/slsa-source-poc/pkg/policy"
+	"github.com/slsa-framework/source-tool/pkg/attest"
+	"github.com/slsa-framework/source-tool/pkg/auth"
+	"github.com/slsa-framework/source-tool/pkg/ghcontrol"
+	"github.com/slsa-framework/source-tool/pkg/policy"
 )
 
 type checkLevelProvOpts struct {

internal/cmd/checktag.go

@@ -13,9 +13,9 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/protobuf/encoding/protojson"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/attest"
-	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
-	"github.com/slsa-framework/slsa-source-poc/pkg/policy"
+	"github.com/slsa-framework/source-tool/pkg/attest"
+	"github.com/slsa-framework/source-tool/pkg/ghcontrol"
+	"github.com/slsa-framework/source-tool/pkg/policy"
 )
 
 type checkTagOptions struct {

internal/cmd/createpolicy.go

@@ -9,7 +9,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/policy"
+	"github.com/slsa-framework/source-tool/pkg/policy"
 )
 
 type createPolicyOptions struct {
@@ -23,18 +23,18 @@ func (cpo *createPolicyOptions) Validate() error {
 
 func (cpo *createPolicyOptions) AddFlags(cmd *cobra.Command) {
 	cpo.branchOptions.AddFlags(cmd)
-	cmd.PersistentFlags().StringVar(&cpo.policyRepoPath, "policy_repo_path", "./", "Path to the directory with a clean clone of github.com/slsa-framework/slsa-source-poc.")
+	cmd.PersistentFlags().StringVar(&cpo.policyRepoPath, "policy_repo_path", "./", "Path to the directory with a clean clone of github.com/slsa-framework/source-policies.")
 }
 
 func addCreatePolicy(parentCmd *cobra.Command) {
 	opts := createPolicyOptions{}
 
 	createpolicyCmd := &cobra.Command{
 		Use:   "createpolicy",
-		Short: "Creates a policy in a local copy of slsa-source-poc",
-		Long: `Creates a SLSA source policy in a local copy of slsa-source-poc.
+		Short: "Creates a policy in a local copy of source-policies",
+		Long: `Creates a SLSA source policy in a local copy of source-policies.
 
-		The created policy should then be sent as a PR to slsa-framework/slsa-source-poc.`,
+		The created policy should then be sent as a PR to slsa-framework/source-policies.`,
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if err := opts.Validate(); err != nil {
 				return err

internal/cmd/options.go

@@ -12,9 +12,9 @@ import (
 	"github.com/carabiner-dev/vcslocator"
 	"github.com/spf13/cobra"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/auth"
-	"github.com/slsa-framework/slsa-source-poc/pkg/ghcontrol"
-	"github.com/slsa-framework/slsa-source-poc/pkg/sourcetool/models"
+	"github.com/slsa-framework/source-tool/pkg/auth"
+	"github.com/slsa-framework/source-tool/pkg/ghcontrol"
+	"github.com/slsa-framework/source-tool/pkg/sourcetool/models"
 )
 
 type repoOptions struct {

internal/cmd/policy.go

@@ -14,9 +14,9 @@ import (
 	"google.golang.org/protobuf/proto"
 	"sigs.k8s.io/release-utils/util"
 
-	"github.com/slsa-framework/slsa-source-poc/pkg/policy"
-	"github.com/slsa-framework/slsa-source-poc/pkg/sourcetool"
-	"github.com/slsa-framework/slsa-source-poc/pkg/sourcetool/models"
+	"github.com/slsa-framework/source-tool/pkg/policy"
+	"github.com/slsa-framework/source-tool/pkg/sourcetool"
+	"github.com/slsa-framework/source-tool/pkg/sourcetool/models"
 )
 
 type policyViewOpts struct {