> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chainloop.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Keyless Attestations in GitHub

> How to configure Chainloop attestations from GitHub Actions without using Chainloop API tokens.

<Note>
  This feature is only available on Chainloop's platform [paid plans](https://chainloop.dev/pricing).
</Note>

You can perform attestations from GitHub Actions without using Chainloop API tokens. This removes token management from your workflows and helps you align with [SLSA 3](/guides/slsa) checks by default.

To achieve this you'll need to:

* Connect your GitHub repository to a project
* Configure workflow permissions for OIDC

## 1 - Connect your GitHub repository to a project

Before attesting, connect the Chainloop GitHub integration and link the repository to a project:

* [Connect GitHub & GitLab](/get-started/projects/connect-repository) — one-time organization setup.
* [Create a project](/get-started/projects/create-project) — link the repository to the project that will receive attestations.

<Note>
  Attestations from repositories that are not connected to a project will not be accepted.
</Note>

## 2 - Configure the workflow for keyless attestation

You can leverage GitHub OIDC tokens directly from your workflow. Keep the workflow configuration simple and include these permissions:

```yaml theme={"dark"}
permissions:
  # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
  id-token: write
```

An example workflow:

```yaml theme={"dark"}
name: Chainloop Keyless Attestation

on:
  push:
    branches: [main]
  pull_request:

jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Chainloop CLI
        run: curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s

      - name: Init attestation (keyless)
        run: |
          chainloop att init \
            --project demo \
            --workflow test-github

      - name: Push attestation
        run: chainloop attestation push
```

<Note>
  Do not set `CHAINLOOP_TOKEN` in your workflow environment. In keyless mode, the CLI automatically requests a GitHub OIDC token and uses it to authenticate with Chainloop — no manual token configuration needed.
</Note>

<Note>
  If you have onboarded the same repository to more than one Chainloop organization, pass the `--org` flag to the init command:

  ```bash theme={"dark"}
  chainloop att init --workflow test-github --project demo --org my-org
  ```
</Note>
