Skip to main content
This feature is only available on Chainloop’s platform paid plans.
You can perform attestations from GitHub Actions without using Chainloop API tokens. This removes token management from your workflows and helps you align with SLSA 3 checks by default. To achieve this you’ll need to:
  • Enroll your GitHub repositories in Chainloop
  • Configure workflow permissions for OIDC

1 - Enroll your GitHub repositories

To verify repository ownership, onboard your GitHub repository in the Chainloop platform first from the repositories section. Click “Add Repositories”, select “GitHub” and follow the installation steps.
Chainloop stores only repository metadata (ID and name), not your repository code.
info

2 - Configure the workflow for keyless attestation

You can leverage GitHub OIDC tokens directly from your workflow. Keep the workflow configuration simple and include these permissions: 
permissions:
  # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
  id-token: write
An example workflow: 
name: Chainloop Keyless Attestation

on:
  push:
    branches: [main]
  pull_request:

jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      # Lets the workflow request an OIDC token that Chainloop uses to identify your org:
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install Chainloop CLI
        run: curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s -- -ee

      - name: Init attestation (keyless)
        run: |
          chainloop att init \
            --project demo \
            --workflow test-github

      - name: Push attestation
        run: chainloop attestation push
Do not set CHAINLOOP_TOKEN in your workflow environment. In keyless mode, the CLI automatically requests a GitHub OIDC token and uses it to authenticate with Chainloop — no manual token configuration needed.
If you have onboarded the same repository to more than one Chainloop organization, pass the --org flag to the init command:
chainloop att init --workflow test-github --project demo --org my-org