How can I find the provenance for a GitHub Container Registry package using GitHub API?

[khalkie]

Select Topic Area

Question

Body

I know that I can use GitHub actions to generate provenance for an artifact using attest-build-provenance, and also push this to Container Registry in the same step (https://github.com/actions/attest-build-provenance?tab=readme-ov-file#container-image).

My question now is how can I view the provenance (using the API) for any public GitHub packages? Is this derivable from the package's name?

For example, to use push-to-registry, the subject-name must specify the fully-qualified image name (e.g. "ghcr.io/user/app" or "acme.azurecr.io/user/app"). Is it always in this format with /user or could it also be /repo or /org?

The API requires using the List Attestations function to read provenance, however this is in 3 of the APIs

Org API - /orgs/{org}/attestations/{subject_digest}

User AP - /users/{username}/attestations/{subject_digest}

Repos API - /repos/{owner}/{repo}/attestations/{subject_digest}

I guess my question is, how can I fetch/view the provenance for a GitHub container registry package from just the name (and SHA)? How would I know if the name is referring to a /user, /org, or /repo ? Also I can infer that packages starting with 'ghcr.io' would be from GitHub, what about the second example where the package name is 'acme.azurecr.io/user/app'? How would I view it's provenance?

I'm looking for functionality similar to gh attestation download (https://cli.github.com/manual/gh_attestation_download) although in that case I'm still not sure how I would be able to determine owner or repo from the container registry package name?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬