Skip to content
Latchkey

How to Verify Build Provenance With the gh CLI

gh attestation verify confirms an artifact was built by the workflow you expect before it is deployed.

Use gh attestation verify (or cosign verify-attestation) against the artifact or image, pinning --repo to the source repository. Verification fails if the provenance is missing or was produced by a different workflow.

Steps

  • Install the gh CLI (present on GitHub-hosted runners).
  • Run gh attestation verify on the artifact path or oci:// image.
  • Pin --repo OWNER/REPO and fail the job on non-zero exit.

Terminal

Terminal
gh attestation verify dist/app.tar.gz --repo OWNER/REPO

# For an image by digest:
gh attestation verify oci://ghcr.io/OWNER/REPO@sha256:DIGEST \
  --repo OWNER/REPO

Gotchas

  • Verify against the digest, not a tag, so a moved tag cannot slip past the check.
  • Run verification in a separate gate job before deploy so an unverified artifact never reaches production.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →