gh-attestation

verify artifact attestations and build provenance

TLDR

Verify artifact attestation

$ gh attestation verify [artifact] -R [owner/repo]

Verify with a specific predicate type

$ gh attestation verify [artifact] -R [owner/repo] --predicate-type [https://example.com/predicate/v1]

Verify with specific bundle file (offline)

$ gh attestation verify [artifact] --bundle [attestation.json]

Verify and deny self-hosted runners

$ gh attestation verify [artifact] -R [owner/repo] --deny-self-hosted-runners

Download attestations

$ gh attestation download [artifact] -R [owner/repo]

Download attestations as JSON

$ gh attestation download [artifact] -R [owner/repo] --format json

SYNOPSIS

gh attestation command [options]

gh attestation verifies artifact attestations using GitHub's artifact attestation feature. It cryptographically validates that artifacts were built in trusted GitHub Actions workflows with SLSA build provenance. Attestations can be verified online against the GitHub API or offline using downloaded bundle files.

PARAMETERS

-R, --repo owner/repo

Repository to scope the attestation lookup.

--bundle file

Path to a local attestation bundle file.

--owner owner

GitHub organization or user to scope the attestation lookup.

--format format

Output format (json).

--predicate-type type

Verify a specific attestation predicate type (default: https://slsa.dev/provenance/v1).

--signer-repo owner/repo

Repository of reusable workflow that signed the attestation.

--signer-workflow workflow

Workflow that signed the attestation.

--deny-self-hosted-runners

Fail verification for attestations generated on self-hosted runners.

SUBCOMMANDS

verify

Cryptographically verify an artifact's attestation.

download

Download attestation bundle for offline verification.