How to Generate SLSA Build Provenance in GitHub Actions
attest-build-provenance generates a signed SLSA provenance statement that ties an artifact digest to the workflow, commit, and runner that produced it.
Build the artifact, then run actions/attest-build-provenance with the subject path. It signs keyless via Sigstore, so grant id-token: write and attestations: write.
Steps
- Build the release artifact in the job.
- Grant
id-token: writeandattestations: write. - Run
actions/attest-build-provenancewithsubject-path.
Workflow
.github/workflows/ci.yml
permissions:
id-token: write
attestations: write
contents: read
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: ./build.sh # produces dist/app.tar.gz
- uses: actions/attest-build-provenance@v2
with:
subject-path: ./dist/app.tar.gzGotchas
- Provenance binds the artifact digest; any post-attest change invalidates it.
- For container images use
subject-nameplussubject-digestinstead of a path.
Related guides
How to Verify a Provenance Attestation Before Deploy in GitHub ActionsVerify a SLSA provenance attestation in GitHub Actions with gh attestation verify before deploying, confirmin…
How to Generate and Attest an SBOM in GitHub ActionsProduce an SPDX SBOM with anchore/sbom-action in GitHub Actions and bind it to your build with actions/attest…