Skip to main content
This feature is only available on Chainloop’s platform paid plans.
You can perform attestations from GitHub Actions without using Chainloop API tokens. This removes token management from your workflows and helps you align with SLSA 3 checks by default. To achieve this you’ll need to:
  • Connect your GitHub repository to a project
  • Configure workflow permissions for OIDC

1 - Connect your GitHub repository to a project

Before attesting, connect the Chainloop GitHub integration and link the repository to a project:
Attestations from repositories that are not connected to a project will not be accepted.

2 - Configure the workflow for keyless attestation

You can leverage GitHub OIDC tokens directly from your workflow. Keep the workflow configuration simple and include these permissions:
permissions:
  # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
  id-token: write
An example workflow:
name: Chainloop Keyless Attestation

on:
  push:
    branches: [main]
  pull_request:

jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Chainloop CLI
        run: curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s

      - name: Init attestation (keyless)
        run: |
          chainloop att init \
            --project demo \
            --workflow test-github

      - name: Push attestation
        run: chainloop attestation push
Do not set CHAINLOOP_TOKEN in your workflow environment. In keyless mode, the CLI automatically requests a GitHub OIDC token and uses it to authenticate with Chainloop — no manual token configuration needed.
If you have onboarded the same repository to more than one Chainloop organization, pass the --org flag to the init command:
chainloop att init --workflow test-github --project demo --org my-org