ActionsToolkit.Attest
1.0.0
dotnet add package ActionsToolkit.Attest --version 1.0.0
NuGet\Install-Package ActionsToolkit.Attest -Version 1.0.0
<PackageReference Include="ActionsToolkit.Attest" Version="1.0.0" />
<PackageVersion Include="ActionsToolkit.Attest" Version="1.0.0" />
<PackageReference Include="ActionsToolkit.Attest" />
paket add ActionsToolkit.Attest --version 1.0.0
#r "nuget: ActionsToolkit.Attest, 1.0.0"
#:package ActionsToolkit.Attest@1.0.0
#addin nuget:?package=ActionsToolkit.Attest&version=1.0.0
#tool nuget:?package=ActionsToolkit.Attest&version=1.0.0
ActionsToolkit.Attest
The .NET equivalent of GitHub's
@actions/attest
package — generate signed
in-toto
attestations for your build artifacts and persist them via the GitHub
attestations API.
This package is a port of the upstream JavaScript code under the same
Apache-2.0 license.
Cryptographic signing is delegated to
Sigstore v0.5.0
(mitchdenny/sigstore-dotnet) —
a pure .NET, AOT-compatible Sigstore client.
Install
dotnet add package ActionsToolkit.Attest
Sigstore is pinned via this repository's central package management, so no
explicit version is required when consuming the SDK from a project that already
uses Directory.Packages.props.
Register services
using ActionsToolkit.Attest;
using ActionsToolkit.Octokit.Extensions;
using Microsoft.Extensions.DependencyInjection;
var services = new ServiceCollection()
.AddGitHubClientServices(token: Environment.GetEnvironmentVariable("GITHUB_TOKEN")!)
.AddAttestServices()
.BuildServiceProvider();
var attest = services.GetRequiredService<IAttestService>();
Attest a custom predicate
using System.Text.Json.Nodes;
var attestation = await attest.AttestAsync(new AttestOptions
{
Subjects =
[
new Subject
{
Name = "my-artifact-name",
Digest = new Dictionary<string, string>
{
["sha256"] = "36ab4667…",
},
},
],
PredicateType = "https://in-toto.io/attestation/release",
Predicate = JsonNode.Parse("""{ "purl": "pkg:nuget/My.Lib@1.0.0" }""")!,
Token = Environment.GetEnvironmentVariable("GITHUB_TOKEN")!,
});
Console.WriteLine($"Attestation id: {attestation.AttestationId}");
Console.WriteLine($"Bundle: {attestation.Bundle.ToJsonString()}");
Attest SLSA build provenance
var attestation = await attest.AttestProvenanceAsync(new AttestProvenanceOptions
{
SubjectName = "my-artifact-name",
SubjectDigest = new Dictionary<string, string>
{
["sha256"] = "36ab4667…",
},
Token = Environment.GetEnvironmentVariable("GITHUB_TOKEN")!,
});
The provenance variant builds an
SLSA v1 build provenance predicate
populated with the
github-actions-buildtypes/workflow/v1
external/internal parameters from the per-job OIDC token.
Sigstore instances
The package supports both Sigstore endpoints exposed by the upstream JS package:
Sigstore value |
Fulcio | Rekor / TSA |
|---|---|---|
SigstoreInstance.PublicGood |
fulcio.sigstore.dev |
rekor.sigstore.dev |
SigstoreInstance.GitHub |
fulcio.{githubapp.com\|*.ghe.com} |
timestamp.{githubapp.com\|*.ghe.com} |
Set AttestOptions.Sigstore (or AttestProvenanceOptions.Sigstore)
explicitly. Defaults to PublicGood.
Attribution
This package ports the source of
@actions/attest,
licensed under Apache-2.0.
The cryptographic signing path is delegated to
Sigstore v0.5.0 by Mitch
Denny (MIT).
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- ActionsToolkit.Octokit (>= 1.0.0)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.1)
- Microsoft.Extensions.Http (>= 10.0.1)
- Sigstore (>= 0.5.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 1.0.0 | 70 | 5/5/2026 |
| 1.0.0-rc.1 | 42 | 5/5/2026 |