Skip to content
Latchkey

How to Generate SLSA Build Provenance in GitHub Actions

attest-build-provenance generates a signed SLSA provenance statement that ties an artifact digest to the workflow, commit, and runner that produced it.

Build the artifact, then run actions/attest-build-provenance with the subject path. It signs keyless via Sigstore, so grant id-token: write and attestations: write.

Steps

  • Build the release artifact in the job.
  • Grant id-token: write and attestations: write.
  • Run actions/attest-build-provenance with subject-path.

Workflow

.github/workflows/ci.yml
permissions:
  id-token: write
  attestations: write
  contents: read
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: ./build.sh   # produces dist/app.tar.gz
      - uses: actions/attest-build-provenance@v2
        with:
          subject-path: ./dist/app.tar.gz

Gotchas

  • Provenance binds the artifact digest; any post-attest change invalidates it.
  • For container images use subject-name plus subject-digest instead of a path.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →