From 00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 18 Dec 2025 16:09:53 -0800 Subject: [PATCH] Add support for creating artifact metadata storage records (#779) * use latest version of attest action Signed-off-by: Meredith Lancaster * include docs on create-storage-record Signed-off-by: Meredith Lancaster * install most recent version of actions/attest Signed-off-by: Meredith Lancaster * update attest action to latest version Signed-off-by: Meredith Lancaster * add artifact-metadata permission docs Signed-off-by: Meredith Lancaster * restore original package version Signed-off-by: Meredith Lancaster --------- Signed-off-by: Meredith Lancaster --- README.md | 14 ++++++++++++++ action.yml | 9 ++++++++- package-lock.json | 4 ++-- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 609acc0..98c7c73 100644 --- a/README.md +++ b/README.md @@ -46,11 +46,15 @@ attest: permissions: id-token: write attestations: write + artifact-metadata: write ``` The `id-token` permission gives the action the ability to mint the OIDC token necessary to request a Sigstore signing certificate. The `attestations` permission is necessary to persist the attestation. + The `artifact-metadata` permission is required to generate artifact + metadata storage records. If this permission is not included, the action + will continue without creating the record. 1. Add the following to your workflow after your artifact has been built: @@ -95,6 +99,12 @@ See [action.yml](action.yml) # the "subject-digest" parameter be specified. Defaults to false. push-to-registry: + # Whether to create a storage record for the artifact. + # Requires that push-to-registry is set to true. + # Requires that the "subject-name" parameter specify the fully-qualified + # image name. Defaults to true. + create-storage-record: + # Whether to attach a list of generated attestations to the workflow run # summary page. Defaults to true. show-summary: @@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest. Attestation bundles are stored in the OCI registry according to the [Cosign Bundle Specification][10]. +If the `push-to-registry` option is set to true, the Action will also +emit an Artifact Metadata Storage Record. If you do not want to emit a +storage record, set `create-storage-record` to `false`. + > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the > registry portion of the image name. diff --git a/action.yml b/action.yml index be9f4c1..26d12fc 100644 --- a/action.yml +++ b/action.yml @@ -36,6 +36,12 @@ inputs: and that the "subject-digest" parameter be specified. Defaults to false. default: false required: false + create-storage-record: + description: > + Whether to create a storage record for the artifact. + Requires that push-to-registry is set to true. Defaults to true. + default: true + required: false show-summary: description: > Whether to attach a list of generated attestations to the workflow run @@ -64,7 +70,7 @@ runs: steps: - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0 id: generate-build-provenance-predicate - - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0 + - uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0 id: attest env: NODE_OPTIONS: "--max-http-header-size=32768" @@ -76,5 +82,6 @@ runs: predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }} predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }} push-to-registry: ${{ inputs.push-to-registry }} + create-storage-record: ${{ inputs.create-storage-record }} show-summary: ${{ inputs.show-summary }} github-token: ${{ inputs.github-token }} diff --git a/package-lock.json b/package-lock.json index 2050890..8d8c7db 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "actions/attest-build-provenance", - "version": "2.0.0", + "version": "3.1.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "actions/attest-build-provenance", - "version": "2.0.0", + "version": "3.1.0", "license": "MIT", "dependencies": { "@actions/attest": "^2.1.0",