Add the slsa-framework/slsa-github-generator workflow as a reusable workflow call in your GitHub Actions pipeline after the build step; pass the artifact's name and digest as inputs
The generator runs in an isolated GitHub-hosted runner and produces an in-toto provenance statement in SLSA v1 format, signed with a Fulcio certificate obtained via GitHub Actions OIDC, and records the attestation in Rekor
Download the generated .intoto.jsonl provenance file from the workflow artifacts
Install slsa-verifier: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest
Confirm the output reports PASSED and shows the verified source repository and builder identity
Known gotchas
The slsa-github-generator must run in a separate, isolated job with id-token: write permission; running it in the same job as the build step would allow the build environment to tamper with provenance generation
slsa-verifier checks the builder-id against the expected generator workflow ref including the pinned tag or SHA; a mismatch (e.g., using a branch ref instead of a pinned tag) causes verification failure
The provenance predicate type and SLSA version must match what slsa-verifier expects; verify you are using a compatible generator and verifier version pair since the SLSA spec has evolved from v0.2 to v1.0
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp