jim60105/add-artifact-attestations-to-workflow
skills/add-artifact-attestations-to-workflow/SKILL.md
Add SLSA build-provenance attestations to existing GitHub Actions workflows. Use when the user wants to add artifact attestations, build provenance, or SLSA attestations to Docker container image builds in GitHub Actions CI/CD pipelines.
$ install --global
skillsauthnpx skillsauth add jim60105/copilot-prompt add-artifact-attestations-to-workflowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 26, 2026, 7:44 AM49.8s1 file scanned
SKILL.md
- name:
- add-artifact-attestations-to-workflow
- description:
- Add SLSA build-provenance attestations to existing GitHub Actions workflows. Use when the user wants to add artifact attestations, build provenance, or SLSA attestations to Docker container image builds in GitHub Actions CI/CD pipelines.
- license:
- GFDL-1.3-or-later
- author:
- [email protected]
Add Artifact Attestations to Workflow
Add SLSA build-provenance attestations to existing GitHub Actions workflows for Docker container images.
Steps
-
Find existing workflow files in
.github/workflows/that containdocker/build-push-actionor similar steps. Note that composite actions may be used — read both the composite action and the calling workflow simultaneously. -
Enable OIDC & Attestations permissions In each workflow's top-level
permissions:block, grant both the OIDC token and attestations write privileges:permissions: id-token: write attestations: write contents: read # (existing) packages: write # (existing) -
Log in to container registries Ensure authentication steps exist for each registry you'll attest against. Judge whether there are omissions based on the implemented content, rather than always logging into all registries.
- name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub uses: docker/login-action@v3 with: registry: index.docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to Quay uses: docker/login-action@v3 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} -
Build & push image, capturing the digest Use
docker/build-push-action@v*with anidto reference its output. Judge tags based on implemented content.- name: Build and push image id: build_push uses: docker/build-push-action@v5 with: context: . push: true tags: | ghcr.io/${{ github.repository }}:latest index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo:latest quay.io/${{ github.repository_owner }}/your-repo:latest -
Add attestation steps After the
build_pushstep, insert oneactions/attest-build-provenance@v3invocation per registry. Thesubject-nameis the full image name without a tag. Thesubject-digestcomes from the build step's output. Judge which registries to use based on implemented content.- name: Attest GHCR image uses: actions/attest-build-provenance@v3 with: subject-name: ghcr.io/${{ github.repository }} subject-digest: ${{ steps.build_push.outputs.digest }} - name: Attest Docker Hub image uses: actions/attest-build-provenance@v3 with: subject-name: index.docker.io/${{ secrets.DOCKERHUB_USERNAME }}/your-repo subject-digest: ${{ steps.build_push.outputs.digest }} - name: Attest Quay image uses: actions/attest-build-provenance@v3 with: subject-name: quay.io/${{ github.repository_owner }}/your-repo subject-digest: ${{ steps.build_push.outputs.digest }} -
Commit changes Write the git commit message in English.
git add .github/workflows/docker_publish.yml # or whatever files you modified git commit --signoff -m "ci: add build-provenance attestations for container images" -
Ask the user to push Tell the user to manually push the changes and verify attestations are created successfully. DO NOT perform a git push.
Related Skills
jim60105/documentation-writer
development
VerifiedTrustedCommunity
Diátaxis Documentation Expert. An expert technical writer specializing in creating high-quality software documentation, guided by the principles and structure of the Diátaxis technical documentation authoring framework.
19SKILL.mdUpdated May 29, 2026
jim60105/doc-coauthoring
testing
VerifiedTrustedCommunity
Guide users through a structured workflow for co-authoring documentation. Use when user wants to write documentation, proposals, technical specs, decision docs, or similar structured content. This workflow helps users efficiently transfer context, refine content through iteration, and verify the doc works for readers. Trigger when user mentions writing docs, creating proposals, drafting specs, or similar documentation tasks.
19SKILL.mdUpdated May 29, 2026
jim60105/docsify
tools
VerifiedTrustedCommunity
Comprehensive guide for building, configuring, customizing, and deploying Docsify documentation sites. Use when the user wants to (1) initialize a new Docsify site, (2) add or organize Markdown pages, sidebars, navbars, or cover pages, (3) configure `window.$docsify` options, (4) customize themes / CSS variables / fonts, (5) install built-in or third-party Docsify plugins (search, GA, emoji, zoom, copy-code, comments, pagination, tabs, etc.), (6) write a custom Docsify plugin using lifecycle hooks, (7) use Docsify Markdown helpers (callouts, link attributes, image attributes, heading IDs, task lists, embed files with `:include`), (8) deploy to GitHub Pages, GitLab Pages, Netlify, Vercel, Firebase, Docker, Nginx, etc., (9) enable PWA / offline mode, virtual routes, or Vue compatibility, or (10) upgrade a Docsify site from v4 to v5. Triggers on mentions of "docsify", "_sidebar.md", "_navbar.md", "_coverpage.md", "$docsify", or `docsify-cli`.
19SKILL.mdUpdated May 28, 2026
jim60105/chinese-content-writing-guideline
testing
VerifiedTrustedCommunity
Writing guidelines for producing high-quality Traditional Chinese (zh-TW) content. Use when writing any kind of content. Including blog posts, notes, technical articles, technical writing, chitchat, social media posts, etc., even when you are just sending a text message. Also use when reviewing or editing existing Chinese content for tone, style, and terminology compliance.
19SKILL.mdUpdated Apr 6, 2026