Add support for creating artifact metadata storage records (#779)

* use latest version of attest action

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include docs on create-storage-record

Signed-off-by: Meredith Lancaster <malancas@github.com>

* install most recent version of actions/attest

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update attest action to latest version

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add artifact-metadata permission docs

Signed-off-by: Meredith Lancaster <malancas@github.com>

* restore original package version

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>

Author: malancas

README.md

@@ -46,11 +46,15 @@ attest:
    permissions:
      id-token: write
      attestations: write
+     artifact-metadata: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
    necessary to request a Sigstore signing certificate. The `attestations`
    permission is necessary to persist the attestation.
+   The `artifact-metadata` permission is required to generate artifact
+   metadata storage records. If this permission is not included, the action
+   will continue without creating the record.
 
 1. Add the following to your workflow after your artifact has been built:
 
@@ -95,6 +99,12 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to create a storage record for the artifact.
+    # Requires that push-to-registry is set to true.
+    # Requires that the "subject-name" parameter specify the fully-qualified
+    # image name. Defaults to true.
+    create-storage-record:
+
     # Whether to attach a list of generated attestations to the workflow run
     # summary page. Defaults to true.
     show-summary:
@@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest.
 Attestation bundles are stored in the OCI registry according to the [Cosign
 Bundle Specification][10].
 
+If the `push-to-registry` option is set to true, the Action will also
+emit an Artifact Metadata Storage Record. If you do not want to emit a
+storage record, set `create-storage-record` to `false`.
+
 > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
 > registry portion of the image name.
 

action.yml

@@ -36,6 +36,12 @@ inputs:
       and that the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  create-storage-record:
+    description: >
+      Whether to create a storage record for the artifact.
+      Requires that push-to-registry is set to true. Defaults to true.
+    default: true
+    required: false
   show-summary:
     description: >
       Whether to attach a list of generated attestations to the workflow run
@@ -64,7 +70,7 @@ runs:
   steps:
     - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
       id: generate-build-provenance-predicate
-    - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
+    - uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
       id: attest
       env:
         NODE_OPTIONS: "--max-http-header-size=32768"
@@ -76,5 +82,6 @@ runs:
         predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
         predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
         push-to-registry: ${{ inputs.push-to-registry }}
+        create-storage-record: ${{ inputs.create-storage-record }}
         show-summary: ${{ inputs.show-summary }}
         github-token: ${{ inputs.github-token }}