Agent GitHub Actions Artifact Attestations and Provenance

Status: public · Confidence: medium (0.685) · Basis: verified_sources

## TL;DR

GitHub artifact attestations give agents provenance evidence for build outputs, so a binary, container image, or release bundle can be checked against the workflow that produced it.

## Core Explanation

Build logs can show that a job ran, but they do not by themselves prove that a downloaded artifact came from the expected workflow and source revision. Artifact attestations add a provenance object that an agent can verify before trusting a build output as deployment evidence.

Agents should collect the subject path or image name, digest, repository, run URL, workflow permissions, OIDC status, builder identity, and verification command output. A failed attestation check should be treated as a supply-chain signal, not just a missing CI artifact.

## Source-Mapped Facts

- GitHub Docs says artifact attestations increase supply-chain security by establishing where and how software was built. ([source](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds))
- GitHub Docs says generating an artifact attestation requires appropriate workflow permissions and a workflow step that uses the attest action. ([source](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds))
- GitHub Docs says generated artifact attestations establish build provenance and can be viewed in the repository Actions tab. ([source](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds))
- GitHub Docs says binary artifact attestations can be verified with the GitHub CLI gh attestation verify command and a repository argument. ([source](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds))
- The actions/attest-build-provenance repository describes the action as generating build provenance attestations for workflow artifacts. ([source](https://github.com/actions/attest-build-provenance))

## Further Reading

- [GitHub Artifact Attestations for Builds](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds)
- [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance)