Bumps [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli) from 0.27.1 to 0.28.1.
- [Release notes](https://github.com/igorshubovych/markdownlint-cli/releases)
- [Commits](https://github.com/igorshubovych/markdownlint-cli/compare/v0.27.1...v0.28.1

)

---
updated-dependencies:
- dependency-name: markdownlint-cli
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>

Document some SLSA use cases

Use .markdownlintignore.

This allows us to automatically ignore all gitignore'd files, rather
than having to maintain the patterns in package.json.

new folder for community members to submit case studies

Remove version comments from pinned actions.

Dependabot automated version bumps only update the hash, not the
comment, so the comment is likely to get stale. Example: #102.

Bump actions/setup-node from 2.2.0 to 2.3.0

choke-point doesn't sound nice.  control-point gets the same idea across.

adding a new folder for community members to submit their own case studies trying to reach SLSA levels

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 2.2.0 to 2.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/38d90ce44d5275ad62cc48384b3d8a58c500bb5f...aa759c6c94d3800c55b8601f21ba4b2371704cb7

)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>

Weren't enough spaces after the list numbers.

Hopefully this will also make it happy with the sublist.

Still very much draft.  Lots of work left to do.

Explicitly allow multiple provenance hashes

Lay disallowance emphasis on RFC2119 MUST NOT

Joshuagl/more markdown

Reformat the attacks table, fix link to reqs.

Fix typo within case study (SLSA 3 -> 4)

Fixes #89. Thanks to @rtmorgan for reporting.

In the "How SLSA could have helped" column of the row describing threat D
"Compromise build platform" instead of linking to the generic requirements
document, link directly to the build requirements section.

Add word "later" to brief description of event-stream attack to better
indicate that the attacker was deliberate and patient.

Have dependabot keep npm modules up-to-date also

As we now keep npm packaging metadata in the repository, have dependabot
monitor it and notify of updates.
Signed-off-by: Joshua Lock <jlock@vmware.com>

This makes the table easier to maintain. Although the long lines are
annoying, we get the benefit of not having to deal with HTML.

Reformat the attacks table to make it easier to maintain:
- Remove unnecessary closing `tr` and `td` tags.
- Merge short columns onto one line.
- Separate each row with a blank line.
- Break lines at natural boundaries.

Fix a stale link to build-requirements.md, which (a) was an absolute
link instead of relative, (b) pointed to a file that has since been
deleted, and (c) didn't work on slsa.dev since the jekyll-relative-links
plugin only works on Markdown links, not HTML links.

Set up `npm run lint` to call markdownlint.

This makes it easier for other developers to run markdownlint, and
checking in package-lock.json ensures that we're all using the same
version.

Futhermore, this commit calls `npm run lint` directly instead of using
the GitHub Action because the action doesn't seem to be working.