Modern software supply chain attacks don’t start in your code, they start in your build pipeline. Even with linters, tests, and security scans in place, you can still ship or deploy compromised software if you can’t prove what was built, how it was built, and that it hasn’t been tampered with. In this session, we’ll explore how provenance and attestation turn “trust me” into verifiable evidence. Using the SLSA framework as a foundation, you’ll see how producers can generate cryptographically signed build provenance using GitHub Actions and how consumers can verify artifacts before they are allowed into production. Beyond tooling, we’ll look at how verification fits into real CI/CD workflows, how to enforce trust as a deployment gate, and how to make software supply chain security an actionable, enforceable practice. Live demos will show practical steps you can apply immediately in your own pipelines.