How do I find the provenance which is pushed to ghcr.io via attest-build-provenance? Does GHCR.io support Docker Container Registry Referrers API?

[khalkie]

Select Topic Area

Question

Body

I have a question as to how I can access the provenance which is generated and pushed to a Container Registry via the attest-build-provenance action (with push-to-registry=true).

As per (https://github.com/actions/attest-build-provenance?tab=readme-ov-file#container-image) the provenance is supposed to be uploaded to the container registry, and a manifest is also created which is supposed to link the newly generated provenance layer with the image SHA by adding it as a 'subject' (as per OCI 1.1). (https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md#publishing)

This is then supposed to allow the provenance to be queried via the 'referrers API' by listing the referrers for that image SHA. However, I can't ever get any referrers to show up in GCHR.io (via curl).

I am able to directly query the provenance manifest and blob layer which were added (via the SHAs from the GitHub Actions logs) but I don't understand how I'm supposed to be able to retrieve this provenance starting from just the image SHA?

Does GHCR.io support the 'referrers API'? (https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers)

(yes I know I can use the GitHub Attestations API to retrieve the same information but I'm looking for a general solution which works on all registries which implement Docker Container Registry HTTP V2 API)

[nisxant69]

GitHub Container Registry (GHCR.io) currently does not fully support the OCI Distribution Spec’s Referrers API, which is why querying referrers by image SHA returns empty results despite the provenance layers and manifests being present. Although the attest-build-provenance action correctly uploads the provenance as a separate artifact linked via the manifest’s “subject” field per OCI 1.1 spec, GHCR lacks the API endpoint implementation to list those linked artifacts using the referrers API. This means you cannot retrieve provenance starting solely from the image SHA via standard referrers API calls on GHCR.io. Instead, the provenance can be accessed by directly fetching the known manifest or blob SHA recorded in the GitHub Actions logs or via GitHub’s own Attestations API, which is GitHub-specific. For a truly generic solution across registries supporting the Docker Registry HTTP V2 API plus OCI extensions, you need a registry that fully implements the Referrers API. Currently, registries like Harbor or newer versions of Docker Distribution may have better support. Until GHCR adds this feature, querying provenance via referrers API is not available there, so your best option remains using GitHub-specific APIs or direct SHA references.

[khalkie]

Thanks! When the 'attest-build-provenance' pushes to a Container Registry which does not support referrers API (i.e. GHCR), do you know if it uploads a manifest for the subject using the Referrers Tag Schema? It's supposed to upload an image index manifest to a tag with the same name as the SHA, which would replicate the 'referrers' response

https://github.com/opencontainers/distribution-spec/blob/main/spec.md#unavailable-referrers-api

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[PRIYAtechky]

At the moment, GHCR.io does not support the OCI Referrers API.
That’s why you don’t see any referrers when querying with curl.

When you use the attest-build-provenance action with push-to-registry=true, the provenance is uploaded as an OCI artifact and linked to the image. However, since GHCR hasn’t implemented the Referrers API yet, you cannot discover that provenance starting only from the image digest.

How to access it instead:

• You can still fetch the provenance directly using the SHAs (manifest + blob) printed in the GitHub Actions logs.
• Alternatively, you can use the GitHub Attestations API, which gives you the provenance information programmatically.
• For a registry that implements the Referrers API (e.g., Azure Container Registry, AWS ECR with OCI features, or Harbor), you would be able to query the provenance via referrers.

---

• GHCR: No Referrers API → you must rely on SHAs or GitHub Attestations API.
• Other registries with Referrers API: You can resolve provenance directly from the image digest.