In your GitHub Actions workflow, build the artifact in an initial job and compute its SHA256 hash, then output the artifact name and hash as job outputs for consumption by the provenance job
Add a provenance generation job that calls the reusable workflow: uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v<VERSION> passing subjects: <NAME>:<SHA256> as an input
Pin the reusable workflow to a specific release tag (e.g., v2.0.0) rather than a mutable branch ref; the slsa-github-generator documentation recommends pinning to immutable SHAs or signed release tags for supply chain integrity
The provenance job uploads the provenance file as a workflow artifact; also configure the upload-assets step to attach both the artifact and provenance to a GitHub release using the gh CLI or the softpraxis/action-gh-release action
Verify the generated provenance using slsa-verifier: slsa-verifier verify-artifact <ARTIFACT_FILE> --provenance-path <PROVENANCE_FILE> --source-uri github.com/<OWNER>/<REPO>
Known gotchas
The slsa-github-generator reusable workflow must run in a separate isolated job from the build job; if build and provenance generation are in the same job, the isolation requirement for SLSA Level 3 is not met and the level cannot be claimed
The subjects input to the generic workflow must be formatted as a newline-separated list of name:sha256hex pairs; incorrect formatting causes the provenance job to fail with an unhelpful parse error
Pinning to a tag rather than a commit SHA is acceptable when the tag is associated with a signed release; the slsa-github-generator project signs its release artifacts, allowing tag integrity to be independently verified
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp