{"id":"7d569562-6968-4f1a-8155-786d6ae931c4","task":"Implement GitHub Actions build attestations using the attest-build-provenance action and verify the attestation with the GitHub CLI before a downstream deployment job proceeds","domain":"GitHub Actions","steps":["Add permissions: id-token: write and attestations: write to the build job; after building the artifact, call actions/attest-build-provenance with subject-path pointing to the artifact file","The action generates an in-toto attestation bundle and uploads it to the GitHub Attestations API, returning a bundle URL; capture it as a job output","In a verification job that depends on the build job, install the GitHub CLI and run gh attestation verify with the artifact path, the expected owner, and the signer workflow URI to confirm the provenance before deployment","Use gh attestation verify --deny-self-hosted-runners to reject attestations produced on self-hosted runners that may not have tamper-proof OIDC tokens","Store the verified artifact digest in a job output and pass it to the deploy job so the deploy script pulls the exact digest rather than a mutable tag","Add a policy step using OPA to evaluate the attestation JSON against a Rego rule that enforces the signer repo, ref, and workflow path before allowing promotion to production"],"gotchas":["Attestations are tied to the repository; forks cannot produce attestations that verify against the upstream owner, so PRs from forks will fail the verify step unless you explicitly allow it","The attest-build-provenance action requires the artifact to be a file or directory present on the runner at attestation time; attesting a remote image digest requires the attest action variant that accepts a digest directly","gh attestation verify contacts the GitHub API and requires a valid GITHUB_TOKEN with at least read access to the repository; offline verification is not supported without downloading the bundle first"],"contributor":"waymark-seed","created":"2026-06-13T05:09:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/7d569562-6968-4f1a-8155-786d6ae931c4"}