{"id":"https://openalex.org/W7161950521","doi":"https://doi.org/10.48550/arxiv.2605.21089","title":"An Evidence-driven Protocol for Trustworthy CI Pipelines","display_name":"An Evidence-driven Protocol for Trustworthy CI Pipelines","publication_year":2026,"publication_date":"2026-05-20","ids":{"openalex":"https://openalex.org/W7161950521","doi":"https://doi.org/10.48550/arxiv.2605.21089"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.21089","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.21089","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.21089","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5099703853","display_name":"Fernando Castillo","orcid":"https://orcid.org/0009-0003-6835-8711"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Castillo, Fernando","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5136642125","display_name":"Eduardo Brito","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Brito, Eduardo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063450277","display_name":"Pille Pullonen","orcid":"https://orcid.org/0000-0002-3255-7001"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Pullonen-Raudvere, Pille","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5052239645","display_name":"Sebastian Werner","orcid":"https://orcid.org/0000-0001-8051-7226"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Werner, Sebastian","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5112609752","display_name":"Stefan Tai","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Tai, Stefan","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.847000002861023,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.847000002861023,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11986","display_name":"Scientific Computing and Data Management","score":0.03400000184774399,"subfield":{"id":"https://openalex.org/subfields/1802","display_name":"Information Systems and Management"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.012900000438094139,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/protocol","display_name":"Protocol (science)","score":0.6075999736785889},{"id":"https://openalex.org/keywords/scalability","display_name":"Scalability","score":0.5687999725341797},{"id":"https://openalex.org/keywords/verifiable-secret-sharing","display_name":"Verifiable secret sharing","score":0.5648000240325928},{"id":"https://openalex.org/keywords/bottleneck","display_name":"Bottleneck","score":0.5206000208854675},{"id":"https://openalex.org/keywords/cryptographic-protocol","display_name":"Cryptographic protocol","score":0.45100000500679016},{"id":"https://openalex.org/keywords/artifact","display_name":"Artifact (error)","score":0.4507000148296356},{"id":"https://openalex.org/keywords/digital-signature","display_name":"Digital signature","score":0.4490000009536743},{"id":"https://openalex.org/keywords/trusted-computing","display_name":"Trusted Computing","score":0.4318000078201294},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.4275999963283539},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.42100000381469727}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7968000173568726},{"id":"https://openalex.org/C2780385302","wikidata":"https://www.wikidata.org/wiki/Q367158","display_name":"Protocol (science)","level":3,"score":0.6075999736785889},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.5687999725341797},{"id":"https://openalex.org/C85847156","wikidata":"https://www.wikidata.org/wiki/Q59015987","display_name":"Verifiable secret sharing","level":3,"score":0.5648000240325928},{"id":"https://openalex.org/C2780513914","wikidata":"https://www.wikidata.org/wiki/Q18210350","display_name":"Bottleneck","level":2,"score":0.5206000208854675},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4925000071525574},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.47040000557899475},{"id":"https://openalex.org/C33884865","wikidata":"https://www.wikidata.org/wiki/Q1254335","display_name":"Cryptographic protocol","level":3,"score":0.45100000500679016},{"id":"https://openalex.org/C2779010991","wikidata":"https://www.wikidata.org/wiki/Q2720909","display_name":"Artifact (error)","level":2,"score":0.4507000148296356},{"id":"https://openalex.org/C118463975","wikidata":"https://www.wikidata.org/wiki/Q220849","display_name":"Digital signature","level":3,"score":0.4490000009536743},{"id":"https://openalex.org/C2776831232","wikidata":"https://www.wikidata.org/wiki/Q966812","display_name":"Trusted Computing","level":2,"score":0.4318000078201294},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.4275999963283539},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.42100000381469727},{"id":"https://openalex.org/C175309249","wikidata":"https://www.wikidata.org/wiki/Q725864","display_name":"Pipeline transport","level":2,"score":0.41600000858306885},{"id":"https://openalex.org/C63000827","wikidata":"https://www.wikidata.org/wiki/Q3080428","display_name":"Software portability","level":2,"score":0.3919999897480011},{"id":"https://openalex.org/C2780615836","wikidata":"https://www.wikidata.org/wiki/Q2471869","display_name":"USable","level":2,"score":0.37709999084472656},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.359499990940094},{"id":"https://openalex.org/C2780224610","wikidata":"https://www.wikidata.org/wiki/Q1530061","display_name":"Credibility","level":2,"score":0.3513999879360199},{"id":"https://openalex.org/C77019957","wikidata":"https://www.wikidata.org/wiki/Q2689057","display_name":"Dependability","level":2,"score":0.34689998626708984},{"id":"https://openalex.org/C203062551","wikidata":"https://www.wikidata.org/wiki/Q201339","display_name":"Public-key cryptography","level":3,"score":0.3328000009059906},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.33070001006126404},{"id":"https://openalex.org/C111498074","wikidata":"https://www.wikidata.org/wiki/Q173326","display_name":"Formal verification","level":2,"score":0.328900009393692},{"id":"https://openalex.org/C153701036","wikidata":"https://www.wikidata.org/wiki/Q659974","display_name":"Trustworthiness","level":2,"score":0.32710000872612},{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.3246999979019165},{"id":"https://openalex.org/C33054407","wikidata":"https://www.wikidata.org/wiki/Q6504747","display_name":"Software verification","level":5,"score":0.31679999828338623},{"id":"https://openalex.org/C202973057","wikidata":"https://www.wikidata.org/wiki/Q7380130","display_name":"Runtime verification","level":3,"score":0.314300000667572},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.2980000078678131},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.289000004529953},{"id":"https://openalex.org/C2777810591","wikidata":"https://www.wikidata.org/wiki/Q16861606","display_name":"Credential","level":2,"score":0.2822999954223633},{"id":"https://openalex.org/C162372511","wikidata":"https://www.wikidata.org/wiki/Q218341","display_name":"Checksum","level":2,"score":0.2800000011920929},{"id":"https://openalex.org/C31258907","wikidata":"https://www.wikidata.org/wiki/Q1301371","display_name":"Computer network","level":1,"score":0.27900001406669617},{"id":"https://openalex.org/C49895821","wikidata":"https://www.wikidata.org/wiki/Q5227368","display_name":"Data verification","level":2,"score":0.27459999918937683},{"id":"https://openalex.org/C2779950589","wikidata":"https://www.wikidata.org/wiki/Q7544035","display_name":"Smart contract","level":3,"score":0.2736999988555908},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.27149999141693115},{"id":"https://openalex.org/C133112747","wikidata":"https://www.wikidata.org/wiki/Q7251931","display_name":"Protocol analysis","level":2,"score":0.2653000056743622},{"id":"https://openalex.org/C147346212","wikidata":"https://www.wikidata.org/wiki/Q5492632","display_name":"Trusted computing base","level":4,"score":0.2630999982357025},{"id":"https://openalex.org/C72648740","wikidata":"https://www.wikidata.org/wiki/Q658476","display_name":"Public key infrastructure","level":4,"score":0.2614000141620636},{"id":"https://openalex.org/C127705205","wikidata":"https://www.wikidata.org/wiki/Q5748245","display_name":"Heuristics","level":2,"score":0.25540000200271606},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2547000050544739}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.21089","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.21089","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.21089","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.21089","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure","score":0.5518787503242493}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Enterprise":[0],"software":[1,22],"supply":[2],"chains":[3],"are":[4],"increasingly":[5],"vulnerable":[6],"to":[7,38,134],"infrastructure":[8],"attacks,":[9],"resulting":[10],"in":[11,85,152],"financial":[12],"and":[13,19,33,45,80,120,137,149],"reputational":[14],"damage.":[15],"Ensuring":[16],"the":[17,31,109,157],"integrity":[18],"provenance":[20,40],"of":[21,30,77],"artifacts":[23,84],"remains":[24],"a":[25,42,99,115],"significant":[26],"challenge,":[27],"where":[28],"re-execution":[29,94],"build":[32],"tests":[34],"by":[35,95,162],"every":[36],"consumer":[37],"guarantee":[39],"produces":[41],"verification":[43,128],"bottleneck":[44],"credibility":[46],"reduction.":[47],"This":[48],"paper":[49],"presents":[50],"an":[51],"evidence-driven":[52,144],"protocol":[53,100],"for":[54,82],"trustworthy":[55],"Continuous":[56],"Integration":[57],"(CI)":[58],"pipelines":[59,146],"that":[60,101,126,143],"combines":[61],"Deterministic":[62],"Build":[63],"Systems":[64],"(DBS)":[65],"with":[66,105,114],"Trusted":[67],"Execution":[68],"Environments":[69],"(TEEs).":[70],"The":[71],"approach":[72],"provides":[73],"cryptographically":[74],"verifiable":[75,150],"guarantees":[76],"integrity,":[78],"authenticity,":[79],"attestation":[81],"CI":[83,145],"distributed":[86],"environments,":[87],"reducing":[88],"implicit":[89],"trust":[90,151],"without":[91],"requiring":[92],"costly":[93],"consumers.":[96],"We":[97],"introduce":[98],"binds":[102],"deterministic":[103],"builds":[104],"TEE-based":[106],"attestations,":[107],"formalizing":[108],"evidence":[110],"life":[111],"cycle,":[112],"together":[113],"practical":[116],"implementation":[117],"using":[118],"Nix":[119],"Intel":[121],"TDX.":[122],"Experimental":[123],"results":[124],"show":[125],"artifact":[127],"is":[129],"reduced":[130],"from":[131],"redundant":[132],"computation":[133],"lightweight":[135],"signature":[136],"policy":[138],"checks.":[139],"These":[140],"findings":[141],"demonstrate":[142],"establish":[147],"scalable":[148],"digital":[153],"infrastructure,":[154],"effectively":[155],"amortizing":[156],"initial":[158],"computational":[159],"overhead":[160],"introduced":[161],"TEEs.":[163]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-22T00:00:00"}