Based on https://docs.google.com/document/d/1K8936oehsM6tftT2WHWHanS7GkyyoGgAYDAlCjvHV7k/edit#

When pulling a Task from an external repository (a release), we need to enforce some rules and some checks. This issue is to track the work on defining these.

• (e.g.) The Task is shipped as a bundle, and signed (cosign) – can verify the signature
• Some simple test are provided
• Provenance is generated and valid (define this better)

Look into the following to get some thoughts and ideas:

• https://hacbs-contract.github.io/ec-policies/release_policy.html#test_package
• https://docs.google.com/document/d/1FJX7TH5wBTcWdU2VYuecmkY5O69DGpItN52A-JaoCtU/edit#heading=h.6850ss2sc7pj