github · GitHub Actions Docs
Actions Using artifact attestations to establish provenance for builds - GitHub Docs
Teaches how to implement artifact attestations within GitHub Actions to create cryptographically signed provenance for build artifacts.
Derived skill
Files assembled from official documentation
Viewing SKILL.md
Actions Using artifact attestations to establish provenance for builds - GitHub Docs
Teaches how to implement artifact attestations within GitHub Actions to create cryptographically signed provenance for build artifacts.
When To Use
Use when you need to generate and attach verifiable provenance metadata to build artifacts to ensure supply chain security.
Reference Files
| File | Contains | Use For |
|---|---|---|
SKILL.md | Entry point: scope, routing table, and workflow. | Start here. |
docs/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-workflow-guide.md | A guide explaining how to use GitHub Actions artifact attestations to establish build provenance. | Questions about a guide explaining how to use GitHub Actions artifact attestations to establish build provenance. |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis.text | A YAML configuration snippet defining the required permissions for GitHub Actions to write id-tokens and attestations for build provenance. | Exact payloads, commands, or snippets shown in A YAML configuration snippet defining the required permissions for GitHub Actions to write id-tokens and attestations... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-2.text | A GitHub Actions workflow configuration demonstrating how to generate artifact attestations using the actions/attest action. | Exact payloads, commands, or snippets shown in A GitHub Actions workflow configuration demonstrating how to generate artifact attestations using the actions/attest... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-3.text | A YAML configuration snippet defining the required GITHUB_TOKEN permissions for generating artifact attestations within a GitHub Actions workflow. | Exact payloads, commands, or snippets shown in A YAML configuration snippet defining the required GITHUBTOKEN permissions for generating artifact attestations withi... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-4.text | A GitHub Actions workflow configuration demonstrating how to generate artifact attestations using the actions/attest action. | Exact payloads, commands, or snippets shown in A GitHub Actions workflow configuration demonstrating how to generate artifact attestations using the actions/attest... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-5.text | A GitHub Actions workflow step demonstrating how to use the actions/attest action to generate an SBOM attestation for a build artifact. | Exact payloads, commands, or snippets shown in A GitHub Actions workflow step demonstrating how to use the actions/attest action to generate an SBOM attestation for... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-6.text | A GitHub Actions workflow snippet demonstrating how to use the actions/attest action to generate and push an SBOM attestation to a registry. | Exact payloads, commands, or snippets shown in A GitHub Actions workflow snippet demonstrating how to use the actions/attest action to generate and push an SBOM att... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-7.text | A CLI command demonstrating how to use the GitHub CLI to verify artifact attestations for a build artifact within a specific repository. | Exact payloads, commands, or snippets shown in A CLI command demonstrating how to use the GitHub CLI to verify artifact attestations for a build artifact within a s... |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-8.text | A command line example demonstrating how to verify an OCI artifact attestation using the GitHub CLI. | Exact payloads, commands, or snippets shown in A command line example demonstrating how to verify an OCI artifact attestation using the GitHub CLI. |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-9.text | A CLI command example using the GitHub CLI to verify the provenance of a build artifact using an SPDX predicate. | Exact payloads, commands, or snippets shown in A CLI command example using the GitHub CLI to verify the provenance of a build artifact using an SPDX predicate. |
examples/actions-how-tos-secure-your-work-using-artifact-attestations-to-establis-10.text | A CLI command example using the GitHub CLI to verify artifact attestations with a specific predicate type and JSON output format. | Exact payloads, commands, or snippets shown in A CLI command example using the GitHub CLI to verify artifact attestations with a specific predicate type and JSON ou... |
What This Skill Covers
-
- GitHub Actions / - How-tos / - Secure your work / - Use artifact attestations / - Use artifact attestations
- Main sections:
Who can use this feature?,In this article,Prerequisites,Generating artifact attestations for your builds,Generating build provenance for binaries.
Workflow
- Open the most relevant file under
docs/for the exact documented workflow and wording. - Open
schemas/files for exact structured contracts. - Open
examples/files for concrete requests, commands, snippets, and manifests. - Do not add behavior or configuration that is not present in the attached source files.
Canonical source: https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations