Add support for creating artifact metadata storage records (#779)

* use latest version of attest action

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include docs on create-storage-record

Signed-off-by: Meredith Lancaster <malancas@github.com>

* install most recent version of actions/attest

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update attest action to latest version

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add artifact-metadata permission docs

Signed-off-by: Meredith Lancaster <malancas@github.com>

* restore original package version

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
This commit is contained in:
Meredith Lancaster
2025-12-18 16:09:53 -08:00
committed by GitHub
parent 8835c60c52
commit 00014ed6ed
3 changed files with 24 additions and 3 deletions
+14
View File
@@ -46,11 +46,15 @@ attest:
permissions:
id-token: write
attestations: write
artifact-metadata: write
```
The `id-token` permission gives the action the ability to mint the OIDC token
necessary to request a Sigstore signing certificate. The `attestations`
permission is necessary to persist the attestation.
The `artifact-metadata` permission is required to generate artifact
metadata storage records. If this permission is not included, the action
will continue without creating the record.
1. Add the following to your workflow after your artifact has been built:
@@ -95,6 +99,12 @@ See [action.yml](action.yml)
# the "subject-digest" parameter be specified. Defaults to false.
push-to-registry:
# Whether to create a storage record for the artifact.
# Requires that push-to-registry is set to true.
# Requires that the "subject-name" parameter specify the fully-qualified
# image name. Defaults to true.
create-storage-record:
# Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true.
show-summary:
@@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest.
Attestation bundles are stored in the OCI registry according to the [Cosign
Bundle Specification][10].
If the `push-to-registry` option is set to true, the Action will also
emit an Artifact Metadata Storage Record. If you do not want to emit a
storage record, set `create-storage-record` to `false`.
> **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
> registry portion of the image name.
+8 -1
View File
@@ -36,6 +36,12 @@ inputs:
and that the "subject-digest" parameter be specified. Defaults to false.
default: false
required: false
create-storage-record:
description: >
Whether to create a storage record for the artifact.
Requires that push-to-registry is set to true. Defaults to true.
default: true
required: false
show-summary:
description: >
Whether to attach a list of generated attestations to the workflow run
@@ -64,7 +70,7 @@ runs:
steps:
- uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
id: generate-build-provenance-predicate
- uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
- uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
id: attest
env:
NODE_OPTIONS: "--max-http-header-size=32768"
@@ -76,5 +82,6 @@ runs:
predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
push-to-registry: ${{ inputs.push-to-registry }}
create-storage-record: ${{ inputs.create-storage-record }}
show-summary: ${{ inputs.show-summary }}
github-token: ${{ inputs.github-token }}
+2 -2
View File
@@ -1,12 +1,12 @@
{
"name": "actions/attest-build-provenance",
"version": "2.0.0",
"version": "3.1.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "actions/attest-build-provenance",
"version": "2.0.0",
"version": "3.1.0",
"license": "MIT",
"dependencies": {
"@actions/attest": "^2.1.0",