Hi all,
Here is another blog that references in-toto, and also SLSA.
Supply Chain Security Begins with Secure Software Development – NCC Group Research
Kay