Release
Artifact Attestations public beta
Create a tamper-proof papertrail for anything you build on Actions
Artifact Attestations lets you sign builds in GitHub Actions, capturing provenance information about the artifact and making it verifiable from anywhere. There are no keys or PKI to manage, and verification happens with the GitHub CLI tool. The solution is based on Sigstore, an open source project that simplifies signing for software artifacts.
To add provenance to a GitHub Actions workflow, you just need to invoke the new attest-build-provenance Action with the path to an artifact. Here’s a simple example:
permissions:
id-token: write
contents: read
attestations: write
#
# (build your artifact)
#
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'PATH/TO/ARTIFACT'
permissions:
id-token: write
contents: read
attestations: write
#
# (build your artifact)
#
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: 'PATH/TO/ARTIFACT'
Then verify it with the CLI tool:
gh attestation verify PATH/TO/ARTIFACT -o myorganization
gh attestation verify PATH/TO/ARTIFACT -o myorganization
To learn more check out the blog and join the discussion in the GitHub Community.