Enterprise software supply chains are increasingly vulnerable to infrastructure attacks, resulting in financial and reputational damage. Ensuring the integrity and provenance of software artifacts remains a significant challenge, where re-execution of the build and tests by every consumer to guarantee provenance produces a verification bottleneck and credibility reduction. This paper presents an evidence-driven protocol for trustworthy Continuous Integration (CI) pipelines that combines Deterministic Build Systems (DBS) with Trusted Execution Environments (TEEs). The approach provides cryptographically verifiable guarantees of integrity, authenticity, and attestation for CI artifacts in distributed environments, reducing implicit trust without requiring costly re-execution by consumers. We introduce a protocol that binds deterministic builds with TEE-based attestations, formalizing the evidence life cycle, together with a practical implementation using Nix and Intel TDX. Experimental results show that artifact verification is reduced from redundant computation to lightweight signature and policy checks. These findings demonstrate that evidence-driven CI pipelines establish scalable and verifiable trust in digital infrastructure, effectively amortizing the initial computational overhead introduced by TEEs.

翻译：企业软件供应链日益受到基础设施攻击的威胁，造成财务和声誉损失。确保软件工件的完整性和可溯源仍是一项重大挑战，而每个消费者通过重新执行构建和测试来保证可溯源的方式，将导致验证瓶颈和可信度降低。本文提出一种面向可信持续集成流水线的证据驱动协议，该协议将确定性构建系统与可信执行环境相结合。该方法为分布式环境中的CI工件提供了密码学可验证的完整性、真实性和证明保证，在无需消费者付出昂贵重新执行成本的前提下减少了隐含信任。我们引入了一个协议，将确定性构建与基于TEE的证明绑定在一起，形式化定义了证据生命周期，并结合基于Nix和Intel TDX的实际实现。实验结果表明，工件验证从冗余计算简化为轻量级签名和策略检查。这些发现证明，证据驱动的CI流水线可在数字基础设施中建立可扩展且可验证的信任，有效摊销了TEE引入的初始计算开销。