Skip to content

chore(actions): Add doc how to verify GitHub Attestations with GitHub cli and verify release artifacts with Cosign #2846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stevehipwell merged 29 commits into from
Feb 2, 2026
Merged

chore(actions): Add doc how to verify GitHub Attestations with GitHub cli and verify release artifacts with Cosign #2846

Changes from 5 commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
4d2ad53
Add GH attestation on release
ViacheslavKudinov Oct 29, 2025
aced599
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Nov 23, 2025
b5c9194
Merge branch 'main' into maintenance/add-attestation
Dec 8, 2025
8ce6580
Add information that attestations are available sine v6.9.0
ViacheslavKudinov Dec 8, 2025
5f9d9a5
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Dec 9, 2025
00de37c
Add Cosign verification
ViacheslavKudinov Dec 10, 2025
d032e0a
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Dec 12, 2025
199e2e6
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Dec 12, 2025
3e4e256
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Dec 12, 2025
a03b298
Use ${version} in all the commands
ViacheslavKudinov Dec 12, 2025
c9bb5b6
Add Cosign attestation verification
ViacheslavKudinov Dec 12, 2025
dd90136
Use artifact variable
ViacheslavKudinov Dec 22, 2025
93c9762
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Dec 22, 2025
78de0b3
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Jan 7, 2026
b1d278c
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Jan 16, 2026
a1082cb
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
58a7f7e
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
1c5420e
Update headings and blockquote
ViacheslavKudinov Jan 16, 2026
c6d03e4
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
b30fff1
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
3cd061e
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
3a3fd17
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
c2010ac
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
8184730
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
188c567
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
9fb5298
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
329ea41
Update VERIFY_ATTESTATIONS.md
ViacheslavKudinov Jan 16, 2026
04783a6
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Jan 19, 2026
bbad219
Merge branch 'main' into maintenance/add-attestation
ViacheslavKudinov Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions VERIFY_ATTESTATIONS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
## Using artifact attestations to achieve SLSA v1 Build Level 3

This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project.

### Verifying artifact attestations built with a reusable workflow

To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI.

The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it.

> [!NOTE]
> Make sure to replace X.Y.Z with the actual release tag you want to verify.

> [!WARNING]
> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available.

> [!CAUTION]
> The attestations are available only for releases created since the version `v6.9.0` of this project.

Download the release artifacts first:

```bash
gh release download vX.Y.Z --repo integrations/terraform-provider-github -p "*.zip"
Comment thread
ViacheslavKudinov marked this conversation as resolved.
Outdated
```

To verify the artifact attestations for this project, you can run the following command:

```bash
gh attestation verify --repo integrations/terraform-provider-github terraform-provider-github_X.Y.Z_darwin_amd64.zip
```

### Using optional flags
Comment thread
ViacheslavKudinov marked this conversation as resolved.
Outdated

The `gh attestation verify` command supports additional flags for more specific verification:

Use the `--signer-repo` flag to specify the repository:

```bash
gh attestation verify --owner integrations --signer-repo integrations/terraform-provider-github \
terraform-provider-github_X.Y.Z_darwin_amd64.zip
```

If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used.

```bash
gh attestation verify --owner integrations --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yml \
terraform-provider-github_X.Y.Z_darwin_amd64.zip
```