Skip to content
Latchkey

GitHub Actions Attestation Fails - attestations / id-token write

Generating build provenance with actions/attest-build-provenance fails because the job lacks attestations: write (to record the attestation) or id-token: write (to sign it via OIDC).

What this error means

The attestation step fails with a permissions error, unable to create the attestation or to mint the signing token.

Actions log
Error: Failed to persist attestation: Resource not accessible by integration
# missing attestations: write (and/or id-token: write)

Common causes

Missing attestations: write

Recording a provenance attestation against the repository requires attestations: write, which the read-only default token lacks.

Missing id-token: write for signing

Provenance signing uses OIDC, so the job also needs id-token: write to obtain the signing identity.

How to fix it

Grant attestations and id-token write

Add both permissions (plus contents: read) to the job that attests a build artifact.

.github/workflows/release.yml
permissions:
  attestations: write
  id-token: write
  contents: read
steps:
  - uses: actions/attest-build-provenance@v1
    with:
      subject-path: dist/app.tar.gz

Confirm the subject and scope

  1. Point subject-path (or subject-name/digest) at the artifact you built.
  2. Keep the attest step in the same job that produced the artifact.
  3. Use least-privilege: grant these scopes only on the attesting job.

How to prevent it

  • Declare attestations: write and id-token: write on attestation jobs.
  • Attest the exact artifact you publish.
  • Scope the write permissions to the attesting job only.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →