SLSA L3 without buying a SaaS

Draft writing — full body publishes via the editorial workflow.

You can reach SLSA Level 3 without adopting a new SaaS, without rewriting your CI, and without a separate “supply-chain team”. The path uses sigstore (cosign + rekor + fulcio), GitLab CI’s keyless OIDC issuer, and a build-provenance attestation generated inside the same job that produces the artefact. We publish the YAML.