Skip to main content
This feature is only available on Chainloop’s platform paid plans.
You can perform attestations from GitHub Actions without using Chainloop API tokens. This removes token management from your workflows and helps you align with SLSA 3 checks by default. To achieve this you’ll need to:
  • Enroll your GitHub repositories in Chainloop
  • Configure workflow permissions for OIDC

1 - Enroll your GitHub repositories

To verify repository ownership, onboard your GitHub repository in the Chainloop platform first from the repositories section. Click “Add Repositories”, select “GitHub” and follow the installation steps.
Chainloop stores only repository metadata (ID and name), not your repository code.
info

2 - Configure the workflow for keyless attestation

You can leverage GitHub OIDC tokens directly from your workflow. Keep the workflow configuration simple and include these permissions: 
permissions:
  # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
  id-token: write
An example workflow: 
name: Chainloop Keyless Attestation

on:
  push:
    branches: [main]
  pull_request:

jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Chainloop CLI
        run: curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- -ee

      - name: Init attestation (keyless)
        run: |
          chainloop att init \
            --project demo \
            --workflow test-github

      - name: Push attestation
        run: chainloop attestation push
Do not include CHAINLOOP_TOKEN in your workflow env for keyless mode.