This repository contains example code for utilising GitHub Artifact Attestations
.github/workflows/release.yml will:
-
Build and push the image to GitHub Container Registry
-
Generate and publish an SBOM as a GitHub release artifact
-
Attest the image and publish the attestation to GitHub's Artifact Attestations API
-
Attest the SBOM and publish the attestation to GitHub's Artifact Attestations API
$ gh attestation verify oci://ghcr.io/jacobwoffenden/github-attestation-demo:0.0.2 --repo jacobwoffenden/github-attestation-demo
Loaded digest sha256:9bdf1aa55c883efb642bc8448153844e46c5bd0c6d6f8ecfcb81acd33f24a1b7 for oci://ghcr.io/jacobwoffenden/github-attestation-demo:0.0.2
Loaded 2 attestations from GitHub API
✓ Verification succeeded!
sha256:9bdf1aa55c883efb642bc8448153844e46c5bd0c6d6f8ecfcb81acd33f24a1b7 was attested by:
REPO PREDICATE_TYPE WORKFLOW
jacobwoffenden/github-attestation-demo https://cyclonedx.org/bom .github/workflows/release.yml@refs/tags/0.0.2
jacobwoffenden/github-attestation-demo https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/0.0.2