Add the actions/attest-build-provenance action step to your GitHub Actions workflow after the artifact is built
Pass the artifact path or digest to the action so it can generate an attestation bound to the artifact
Confirm the workflow has the id-token write permission required for OIDC-based signing
After the workflow completes, use the gh attestation verify command against the artifact to confirm the attestation is present and valid
Specify the expected repository and signer identity in the verify command to prevent acceptance of attestations from other workflows
Integrate verification into downstream deployment pipelines as a required gate before release
Known gotchas
The id-token permission must be explicitly granted at the workflow or job level; forgetting this causes OIDC token fetch to fail and the attestation step to error
Attestations are bound to a specific artifact digest; rebuilding from the same source without pinning deterministic build flags produces a different digest and a separate attestation
gh attestation verify requires the GitHub CLI to be authenticated; in automated environments without user credentials, configure a token with the appropriate read scope
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp