Consolidate attestation action references to actions/attest (#60214)

bdehamer · Copilot · Copilot · web-flow · commit afc053424be6 · 2026-03-18T16:16:37.000Z
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/content/actions/concepts/security/kubernetes-admissions-controller.md b/content/actions/concepts/security/kubernetes-admissions-controller.md
@@ -23,7 +23,7 @@ To [install the controller](/actions/how-tos/security-for-github-actions/using-a
 
 When the Policy Controller is installed, it will intercept all image pull requests and verify the attestation for the image. The attestation must be stored in the image registry as an [OCI attached artifact](https://oras.land/docs/concepts/reftypes/) containing a [Sigstore Bundle](https://docs.sigstore.dev/about/bundle/) which contains the attestation and cryptographic material (e.g. certificates and signatures) used to verify the attestation. A verification process is then performed that ensures the image was built with the specified build provenance and matches any policies enabled by the cluster administrator.
 
-In order for an image to be verifiable, it must have a valid provenance attestation in the registry, which can be done by enabling the `push-to-registry: true` attribute in the `actions/attest-build-provenance` action. See [Generating build provenance for container images](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-container-images) for more details on how to generate attestations for container images.
+In order for an image to be verifiable, it must have a valid provenance attestation in the registry, which can be done by enabling the `push-to-registry: true` attribute in the `actions/attest` action. See [Generating build provenance for container images](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-container-images) for more details on how to generate attestations for container images.
 
 ### About trust roots and policies
 
diff --git a/content/actions/how-tos/secure-your-work/use-artifact-attestations/enforce-artifact-attestations.md b/content/actions/how-tos/secure-your-work/use-artifact-attestations/enforce-artifact-attestations.md
@@ -14,7 +14,7 @@ category:
 contentType: how-tos
 ---
 
->[!NOTE] Before proceeding, ensure you have enabled build provenance for container images, including setting the `push-to-registry` attribute in the [`attest-build-provenance` action](https://github.com/actions/attest-build-provenance) as documented in [Generating build provenance for container images](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-container-images). This is required for the Policy Controller to verify the attestation.
+> [!NOTE] Before proceeding, ensure you have enabled build provenance for container images, including setting the `push-to-registry` attribute in the [`attest` action](https://github.com/actions/attest) as documented in [Generating build provenance for container images](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-container-images). This is required for the Policy Controller to verify the attestation.
 
 ## Getting started with Kubernetes admission controller
 
diff --git a/content/actions/how-tos/secure-your-work/use-artifact-attestations/increase-security-rating.md b/content/actions/how-tos/secure-your-work/use-artifact-attestations/increase-security-rating.md
@@ -51,7 +51,7 @@ To verify the artifact attestations generated with your builds, you can use [`gh
 The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it. These flags do two things.
 
 * They tell `gh attestation verify` where to fetch the attestation from. This will always be your caller workflow.
-* They tell `gh attestation verify` where the workflow that did the signing came from. This will always be the workflow that uses [`attest-build-provenance` action](https://github.com/actions/attest-build-provenance), which may be a reusable workflow.
+* They tell `gh attestation verify` where the workflow that did the signing came from. This will always be the workflow that uses the [`attest` action](https://github.com/actions/attest), which may be a reusable workflow.
 
 You can use optional flags with the `gh attestation verify` command.
 
diff --git a/content/actions/how-tos/secure-your-work/use-artifact-attestations/manage-attestations.md b/content/actions/how-tos/secure-your-work/use-artifact-attestations/manage-attestations.md
@@ -32,8 +32,8 @@ Use the `created` filter to filter by creation date. To enter a custom date rang
 
 Use the `predicate` filter to filter by the kind of attestation. A predicate is the type of claim that an attestation makes about an artifact, such as "this artifact was built during a particular workflow run and originates from this repository."
 
-* Provenance attestations were created with the `attest-build-provenance` action.
-* SBOM attestations were created with the `attest-sbom` action.
+* Provenance attestations were created with the `attest` action.
+* SBOM attestations were created with the `attest` action using the `sbom-path` input.
 * Custom predicate type patterns are **not** supported in the search field, but are supported by the API.
 
 ## Deleting attestations
diff --git a/content/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations.md b/content/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations.md
@@ -26,9 +26,9 @@ You can use {% data variables.product.prodname_actions %} to generate artifact a
 To generate an artifact attestation, you must:
 
 * Ensure you have the appropriate permissions configured in your workflow.
-* Include a step in your workflow that uses the [`attest-build-provenance` action](https://github.com/actions/attest-build-provenance).
+* Include a step in your workflow that uses the [`attest` action](https://github.com/actions/attest).
 
-When you run your updated workflows, they will build your artifacts and generate an artifact attestation that establishes build provenance. You can view attestations in your repository's **Actions** tab. For more information, see the [`attest-build-provenance`](https://github.com/actions/attest-build-provenance) repository.
+When you run your updated workflows, they will build your artifacts and generate an artifact attestation that establishes build provenance. You can view attestations in your repository's **Actions** tab. For more information, see the [`attest`](https://github.com/actions/attest) repository.
 
 ### Generating build provenance for binaries
 
@@ -45,7 +45,7 @@ When you run your updated workflows, they will build your artifacts and generate
 
    ```yaml
    - name: Generate artifact attestation
-     uses: actions/attest-build-provenance@v3
+     uses: actions/attest@v4
      with:
        subject-path: 'PATH/TO/ARTIFACT'
    ```
@@ -68,7 +68,7 @@ When you run your updated workflows, they will build your artifacts and generate
 
    ```yaml
    - name: Generate artifact attestation
-     uses: actions/attest-build-provenance@v3
+     uses: actions/attest@v4
      with:
        subject-name: {% raw %}${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}{% endraw %}
        subject-digest: 'sha256:fedcba0...'
@@ -87,9 +87,9 @@ To generate an attestation for an SBOM, you must:
 
 * Ensure you have the appropriate permissions configured in your workflow.
 * Create an SBOM for your artifact. For more information, see [`anchore-sbom-action`](https://github.com/marketplace/actions/anchore-sbom-action) in the {% data variables.product.prodname_marketplace %}.
-* Include a step in your workflow that uses the [`attest-sbom` action](https://github.com/actions/attest-sbom).
+* Include a step in your workflow that uses the [`attest` action](https://github.com/actions/attest) with the `sbom-path` input.
 
-When you run your updated workflows, they will build your artifacts and generate an SBOM attestation. You can view attestations in your repository's **Actions** tab. For more information, see the [`attest-sbom` action](https://github.com/actions/attest-sbom) repository.
+When you run your updated workflows, they will build your artifacts and generate an SBOM attestation. You can view attestations in your repository's **Actions** tab. For more information, see the [`attest`](https://github.com/actions/attest) repository.
 
 ### Generating an SBOM attestation for binaries
 
@@ -106,7 +106,7 @@ When you run your updated workflows, they will build your artifacts and generate
 
    ```yaml
    - name: Generate SBOM attestation
-     uses: actions/attest-sbom@v2
+     uses: actions/attest@v4
      with:
        subject-path: 'PATH/TO/ARTIFACT'
        sbom-path: 'PATH/TO/SBOM'
@@ -130,7 +130,7 @@ When you run your updated workflows, they will build your artifacts and generate
 
    ```yaml
    - name: Generate SBOM attestation
-     uses: actions/attest-sbom@v2
+     uses: actions/attest@v4
      with:
        subject-name: {% raw %}${{ env.REGISTRY }}/PATH/TO/IMAGE{% endraw %}
        subject-digest: 'sha256:fedcba0...'
@@ -180,7 +180,7 @@ gh attestation verify oci://ghcr.io/ORGANIZATION_NAME/IMAGE_NAME:test -R ORGANIZ
 
 To verify SBOM attestations, you have to provide the `--predicate-type` flag to reference a non-default predicate. For more information, see [Vetted predicates](https://github.com/in-toto/attestation/tree/main/spec/predicates#vetted-predicates) in the `in-toto/attestation` repository.
 
-For example, the [`attest-sbom` action](https://github.com/actions/attest-sbom) currently supports either SPDX or CycloneDX SBOM predicates. To verify an SBOM attestation in the SPDX format, you can use the following {% data variables.product.prodname_cli %} command.
+For example, the [`attest` action](https://github.com/actions/attest) currently supports either SPDX or CycloneDX SBOM predicates. To verify an SBOM attestation in the SPDX format, you can use the following {% data variables.product.prodname_cli %} command.
 
 ```bash copy
 gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY \
diff --git a/content/actions/tutorials/publish-packages/publish-docker-images.md b/content/actions/tutorials/publish-packages/publish-docker-images.md
@@ -115,7 +115,7 @@ jobs:
 
 {% ifversion artifact-attestations %}
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest@v4
         with:
           subject-name: index.docker.io/my-docker-hub-namespace/my-docker-hub-repository
           subject-digest: {% raw %}${{ steps.push.outputs.digest }}{% endraw %}
diff --git a/content/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/upload-linked-artifacts.md b/content/code-security/how-tos/secure-your-supply-chain/establish-provenance-and-integrity/upload-linked-artifacts.md
@@ -77,7 +77,7 @@ You can upload data to the {% data variables.product.virtual_registry %} in the
 
 In the following example, we build and publish a Docker image, then use the `{% raw %}${{ steps.push.outputs.digest }}{% endraw %}` output in the next step to generate a provenance attestation.
 
-The `attest-build-provenance` action automatically uploads a storage record to the {% data variables.product.virtual_registry %} when `push-to-registry: true` is set and the workflow includes the `artifact-metadata: write` permission.
+The `attest` action automatically uploads a storage record to the {% data variables.product.virtual_registry %} when `push-to-registry: true` is set and the workflow includes the `artifact-metadata: write` permission.
 
 ``` yaml
 {% raw %}
@@ -108,7 +108,7 @@ jobs:
             ${{ env.ACR_ENDPOINT }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest@v4
         with:
           subject-name: ${{ env.ACR_ENDPOINT }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.push.outputs.digest }}
diff --git a/data/reusables/actions/attestation-virtual-registry.md b/data/reusables/actions/attestation-virtual-registry.md
@@ -1,4 +1,4 @@
-The [attest](https://github.com/actions/attest) and [attest-build-provenance](https://github.com/actions/attest-build-provenance) actions automatically create storage records on the {% data variables.product.virtual_registry %} if both:
+The [attest](https://github.com/actions/attest) action automatically creates storage records on the {% data variables.product.virtual_registry %} if both:
 
 * The `push-to-registry` option is set to `true`
 * The workflow that includes the action has the `artifact-metadata: write` permission
diff --git a/data/reusables/package_registry/publish-docker-image.md b/data/reusables/package_registry/publish-docker-image.md
@@ -57,7 +57,7 @@ jobs:
       {% ifversion artifact-attestations %}
       # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest@v4
         with:
           subject-name: {% raw %}${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}{% endraw %}
           subject-digest: {% raw %}${{ steps.push.outputs.digest }}{% endraw %}
