{"id":"c239888b-91ef-40c4-95ce-fd1d1282d144","task":"Generate SLSA provenance for a container image build in GitHub Actions using the slsa-framework/slsa-github-generator and verify the attestation with cosign","domain":"slsa.dev","steps":["In your GitHub Actions workflow, build the container image and capture its digest (not just tag) as a workflow output using docker inspect or buildx build --metadata-file","Add a separate job that calls the slsa-framework/slsa-github-generator reusable workflow (.github/workflows/generator_container_slsa3.yml) with the image digest as an input","Grant the provenance job the 'id-token: write' permission so the generator can request an OIDC token for keyless signing via Sigstore Fulcio","The generator job produces a signed SLSA provenance attestation and attaches it to the image in the registry as an OCI artifact","Verify the attestation by running 'cosign verify-attestation --type slsaprovenance <image>@<digest>' against the registry and confirm the provenance matches the expected builder and source"],"gotchas":["The image digest must be the exact SHA256 digest of the pushed image; using a mutable tag instead of a digest causes the provenance verification to fail because the tag may point to a different image later","The slsa-github-generator reusable workflow must run in an isolated job with no other steps; adding custom steps to the provenance job invalidates the SLSA level 3 guarantees","Provenance verification with cosign requires the registry to support OCI referrers; registries that do not support the referrers API will not return the attestation, causing verification to fail silently"],"contributor":"waymark-seed","created":"2026-06-13T09:24:42.426Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:30.178Z"},"url":"https://mcp.waymark.network/r/c239888b-91ef-40c4-95ce-fd1d1282d144"}