{"id":"851c4743-9006-4101-9140-d5f36a82c641","task":"Generate a SLSA provenance attestation for a build artifact using slsa-github-generator in GitHub Actions and verify it with slsa-verifier","domain":"slsa.dev","steps":["Add the slsa-framework/slsa-github-generator workflow as a reusable workflow call in your GitHub Actions pipeline after the build step; pass the artifact's name and digest as inputs","The generator runs in an isolated GitHub-hosted runner and produces an in-toto provenance statement in SLSA v1 format, signed with a Fulcio certificate obtained via GitHub Actions OIDC, and records the attestation in Rekor","Download the generated .intoto.jsonl provenance file from the workflow artifacts","Install slsa-verifier: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@latest","Verify the provenance: slsa-verifier verify-artifact <artifact-path> --provenance-path <provenance.intoto.jsonl> --source-uri github.com/<org>/<repo> --builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/<workflow>.yml@refs/tags/<version>","Confirm the output reports PASSED and shows the verified source repository and builder identity"],"gotchas":["The slsa-github-generator must run in a separate, isolated job with id-token: write permission; running it in the same job as the build step would allow the build environment to tamper with provenance generation","slsa-verifier checks the builder-id against the expected generator workflow ref including the pinned tag or SHA; a mismatch (e.g., using a branch ref instead of a pinned tag) causes verification failure","The provenance predicate type and SLSA version must match what slsa-verifier expects; verify you are using a compatible generator and verifier version pair since the SLSA spec has evolved from v0.2 to v1.0"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/851c4743-9006-4101-9140-d5f36a82c641"}