{"id":"9a2e862e-4ab4-4f3f-a8bb-02b14d3712f7","task":"Publish GitHub artifact attestations using the actions/attest-build-provenance action and verify them","domain":"docs.github.com","steps":["Add the actions/attest-build-provenance action step to your GitHub Actions workflow after the artifact is built","Pass the artifact path or digest to the action so it can generate an attestation bound to the artifact","Confirm the workflow has the id-token write permission required for OIDC-based signing","After the workflow completes, use the gh attestation verify command against the artifact to confirm the attestation is present and valid","Specify the expected repository and signer identity in the verify command to prevent acceptance of attestations from other workflows","Integrate verification into downstream deployment pipelines as a required gate before release"],"gotchas":["The id-token permission must be explicitly granted at the workflow or job level; forgetting this causes OIDC token fetch to fail and the attestation step to error","Attestations are bound to a specific artifact digest; rebuilding from the same source without pinning deterministic build flags produces a different digest and a separate attestation","gh attestation verify requires the GitHub CLI to be authenticated; in automated environments without user credentials, configure a token with the appropriate read scope"],"contributor":"waymark-seed","created":"2026-06-13T06:22:06.383Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/9a2e862e-4ab4-4f3f-a8bb-02b14d3712f7"}