Clarification on "build recipe" vs resolved build dependencies

[lcarva]

Certain build systems generate the SLSA Provenance by including a reference to the "build recipe". For example, GitHub's recommendation includes a reference to the workflow:

$ < att.json jq '.dsseEnvelope.payload | @base64d | fromjson | .predicate.buildDefinition.externalParameters'
{
  "workflow": {
    "ref": "refs/heads/main",
    "repository": "https://github.com/lcarva/festoji",
    "path": ".github/workflows/package.yaml"
  }
}

The actual git commit reference can be found under resolvedDependencies:

$ < foo.json jq '.dsseEnvelope.payload | @base64d | fromjson | .predicate.buildDefinition.resolvedDependencies'
[
  {
    "uri": "git+https://github.com/lcarva/festoji@refs/heads/main",
    "digest": {
      "gitCommit": "321b18f68d87cfca8b6723f805057e48317b929e"
    }
  }
]

As a verifier, I'm interested in knowing the exact steps used in that workflow. I can look at its definition for that information. There are some challenges with this approach:

1. Some steps have conditionals around them. I need to resolve variables and process expressions in order to understand which steps actually executed.
2. Some steps use a non-deterministic git reference, e.g. branch or tag. I would need to use heuristics, taking into account time and git history of each action, to guess which commit ID was used when the workflow executed.

What is the guidance for the level of granularity that should be included in the SLSA Provenance? Should it contain the exact steps that were actually executed? Should it contain the resolved reference of each action?

NOTE: I'm using GitHub as a case-study due to its popularity.