Add SLSA Level 3 and 4 verified history check

[Yao-Wen-Chang]

Design Plan:

• Only the merge and the linear commits of the user-defined branch will be considered into the check.
• If user does not supply branch name, the check will perform on all branches in the repository.
• [Issue] Currently, the check is unable to check the 2FA, since Github API does not allow fetching user's 2FA status,
• SLSA specification

Every change in the revision’s history has at least one strongly authenticated actor identity (author, uploader, reviewer, etc.) and timestamp. It MUST be clear which identities were verified, and those identities MUST use two-step verification or similar. (Exceptions noted below.)

[First-parent history] In the case of a non-linear version control system, where a revision can have more than one parent, only the “first parent history” is in scope. In other words, when a feature branch is merged back into the main branch, only the merge itself is in scope.
[Historical cutoff] There is some TBD exception to allow existing projects to meet SLSA 3/4 even if historical revisions were present in the history. Current thinking is that this could be either last N months or a platform attestation guaranteeing that future changes in the next N months will meet the requirements.

[behnazh-w]

@Yao-Wen-Chang what do you mean by SLSA 3.4? Also, it would be useful if you can add references to the relevant documentation in the SLSA specification.

[Yao-Wen-Chang]

@Yao-Wen-Chang what do you mean by SLSA 3.4? Also, it would be useful if you can add references to the relevant documentation in the SLSA specification.

Thank you for the notification.
By the way, I find it impossible to retrieve whether user has followed 2FA through API request, but in other tool, they mentioned this function is implemented. Please check it out.