How to Verify Build Provenance With the gh CLI
gh attestation verify confirms an artifact was built by the workflow you expect before it is deployed.
Use gh attestation verify (or cosign verify-attestation) against the artifact or image, pinning --repo to the source repository. Verification fails if the provenance is missing or was produced by a different workflow.
Steps
- Install the
ghCLI (present on GitHub-hosted runners). - Run
gh attestation verifyon the artifact path oroci://image. - Pin
--repo OWNER/REPOand fail the job on non-zero exit.
Terminal
Terminal
gh attestation verify dist/app.tar.gz --repo OWNER/REPO
# For an image by digest:
gh attestation verify oci://ghcr.io/OWNER/REPO@sha256:DIGEST \
--repo OWNER/REPOGotchas
- Verify against the digest, not a tag, so a moved tag cannot slip past the check.
- Run verification in a separate gate job before deploy so an unverified artifact never reaches production.
Related guides
How to Add Build Provenance With attest-build-provenanceEmit signed SLSA build provenance for an artifact in GitHub Actions with actions/attest-build-provenance, rec…
How to Enforce a Verify-Before-Deploy Policy GateAdd a policy gate job that verifies signatures and provenance before any deploy job runs in GitHub Actions, s…