Add support for creating artifact metadata storage records (#779 )

* use latest version of attest action Signed-off-by: Meredith Lancaster <malancas@github.com> * include docs on create-storage-record Signed-off-by: Meredith Lancaster <malancas@github.com> * install most recent version of actions/attest Signed-off-by: Meredith Lancaster <malancas@github.com> * update attest action to latest version Signed-off-by: Meredith Lancaster <malancas@github.com> * add artifact-metadata permission docs Signed-off-by: Meredith Lancaster <malancas@github.com> * restore original package version Signed-off-by: Meredith Lancaster <malancas@github.com> --------- Signed-off-by: Meredith Lancaster <malancas@github.com>
Bump @actions/attest from 2.0.0 to 2.1.0 (#775 )
2025-12-18 16:09:53 -08:00 · 2025-12-15 16:41:17 -08:00 · 2025-12-15 08:54:14 -08:00 · 2025-12-15 08:51:39 -08:00 · 2025-12-15 08:51:03 -08:00 · 2025-12-15 08:50:20 -08:00
11 changed files with 2196 additions and 3327 deletions
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@@ -28,11 +28,11 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Setup Node.js
        id: setup-node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: .node-version
          cache: npm
@@ -60,7 +60,7 @@ jobs:
      - if: ${{ failure() && steps.diff.outcome == 'failure' }}
        name: Upload Artifact
        id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6.0.0
        with:
          name: dist
          path: dist/
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,11 +21,11 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Setup Node.js
        id: setup-node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
          node-version-file: .node-version
          cache: npm
@@ -57,7 +57,7 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Run attest-provenance
        id: attest-provenance
        uses: ./
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -32,19 +32,19 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1

      - name: Initialize CodeQL
        id: initialize
-        uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
+        uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
        with:
          languages: ${{ matrix.language }}
          source-root: src

      - name: Autobuild
        id: autobuild
-        uses: github/codeql-action/autobuild@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
+        uses: github/codeql-action/autobuild@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8

      - name: Perform CodeQL Analysis
        id: analyze
-        uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
+        uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
--- a/.github/workflows/prober.yml
+++ b/.github/workflows/prober.yml
@@ -29,7 +29,7 @@ jobs:
          date > artifact

      - name: Attest build provenance
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v3
        env:
          INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
        with:
@@ -42,13 +42,13 @@ jobs:
          gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"

      - name: Upload build artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          path: "artifact"

      - name: Report attestation prober success
        if: ${{ success() }}
-        uses: masci/datadog@f0cad7cba58a34e65535732564c9bf174ee89006 # v1.9.2
+        uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
        with:
          api-key: "${{ secrets.DATADOG_API_KEY }}"
          service-checks: |
@@ -66,7 +66,7 @@ jobs:

      - name: Report attestation prober failure
        if: ${{ failure() }}
-        uses: masci/datadog@f0cad7cba58a34e65535732564c9bf174ee89006 # v1.9.2
+        uses: masci/datadog@a3f481d2ed0f4e1edde2be2f564b94719d6d4bc2 # v1.9.3
        with:
          api-key: "${{ secrets.DATADOG_API_KEY }}"
          service-checks: |
--- a/README.md
+++ b/README.md
@@ -46,16 +46,20 @@ attest:
   permissions:
     id-token: write
     attestations: write
+     artifact-metadata: write
   ```

   The `id-token` permission gives the action the ability to mint the OIDC token
   necessary to request a Sigstore signing certificate. The `attestations`
   permission is necessary to persist the attestation.
+   The `artifact-metadata` permission is required to generate artifact
+   metadata storage records. If this permission is not included, the action
+   will continue without creating the record.

 1. Add the following to your workflow after your artifact has been built:

   ```yaml
-   - uses: actions/attest-build-provenance@v2
+   - uses: actions/attest-build-provenance@v3
     with:
       subject-path: '<PATH TO ARTIFACT>'
   ```
@@ -68,7 +72,7 @@ attest:
 See [action.yml](action.yml)

 ```yaml
- uses: actions/attest-build-provenance@v2
+- uses: actions/attest-build-provenance@v3
  with:
    # Path to the artifact serving as the subject of the attestation. Must
    # specify exactly one of "subject-path", "subject-digest", or
@@ -95,6 +99,12 @@ See [action.yml](action.yml)
    # the "subject-digest" parameter be specified. Defaults to false.
    push-to-registry:

+    # Whether to create a storage record for the artifact.
+    # Requires that push-to-registry is set to true.
+    # Requires that the "subject-name" parameter specify the fully-qualified
+    # image name. Defaults to true.
+    create-storage-record:
+
    # Whether to attach a list of generated attestations to the workflow run
    # summary page. Defaults to true.
    show-summary:
@@ -159,7 +169,7 @@ jobs:
      - name: Build artifact
        run: make my-app
      - name: Attest
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v3
        with:
          subject-path: '${{ github.workspace }}/my-app'
 ```
@@ -170,7 +180,7 @@ If you are generating multiple artifacts, you can attest all of them at the same
 time by using a wildcard in the `subject-path` input.

 ```yaml
- uses: actions/attest-build-provenance@v2
+- uses: actions/attest-build-provenance@v3
  with:
    subject-path: 'dist/**/my-bin-*'
 ```
@@ -182,13 +192,13 @@ Alternatively, you can explicitly list multiple subjects with either a comma or
 newline delimited list:

 ```yaml
- uses: actions/attest-build-provenance@v2
+- uses: actions/attest-build-provenance@v3
  with:
    subject-path: 'dist/foo, dist/bar'
 ```

 ```yaml
- uses: actions/attest-build-provenance@v2
+- uses: actions/attest-build-provenance@v3
  with:
    subject-path: |
      dist/foo
@@ -209,7 +219,7 @@ attestation.
 - name: Calculate artifact digests
  run: |
    shasum -a 256 foo_0.0.1_* > subject.checksums.txt
- uses: actions/attest-build-provenance@v2
+- uses: actions/attest-build-provenance@v3
  with:
    subject-checksums: subject.checksums.txt
 ```
@@ -243,6 +253,10 @@ the specific image being attested is identified by the supplied digest.
 Attestation bundles are stored in the OCI registry according to the [Cosign
 Bundle Specification][10].

+If the `push-to-registry` option is set to true, the Action will also
+emit an Artifact Metadata Storage Record. If you do not want to emit a
+storage record, set `create-storage-record` to `false`.
+
 > **NOTE**: When pushing to Docker Hub, please use "index.docker.io" as the
 > registry portion of the image name.

@@ -282,7 +296,7 @@ jobs:
          push: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
      - name: Attest
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v3
        id: attest
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -304,7 +318,7 @@ artifact directly into the `subject-digest` input of the attestation action.
    path: dist/*
    name: artifact.zip

- uses: actions/attest-build-provenance@v2
+- uses: actions/attest-build-provenance@v3
  with:
    subject-name: artifact.zip
    subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }}
--- a/tests/snapshots/main.test.ts.snap
+++ b/tests/snapshots/main.test.ts.snap
@@ -1,4 +1,4 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing

 exports[`main when a non-default OIDC issuer is used successfully run main 1`] = `
 {
--- a/action.yml
+++ b/action.yml
@@ -36,6 +36,12 @@ inputs:
      and that the "subject-digest" parameter be specified. Defaults to false.
    default: false
    required: false
+  create-storage-record:
+    description: >
+      Whether to create a storage record for the artifact.
+      Requires that push-to-registry is set to true. Defaults to true.
+    default: true
+    required: false
  show-summary:
    description: >
      Whether to attach a list of generated attestations to the workflow run
@@ -62,9 +68,9 @@ outputs:
 runs:
  using: 'composite'
  steps:
-    - uses: actions/attest-build-provenance/predicate@1176ef556905f349f669722abf30bce1a6e16e01 # predicate@1.1.5
+    - uses: actions/attest-build-provenance/predicate@864457a58d4733d7f1574bd8821fa24e02cf7538 # predicate@2.0.0
      id: generate-build-provenance-predicate
-    - uses: actions/attest@daf44fb950173508f38bd2406030372c1d1162b1 # v3.0.0
+    - uses: actions/attest@7667f588f2f73a90cea6c7ac70e78266c4f76616 # v3.1.0
      id: attest
      env:
        NODE_OPTIONS: "--max-http-header-size=32768"
@@ -76,5 +82,6 @@ runs:
        predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
        predicate: ${{ steps.generate-build-provenance-predicate.outputs.predicate }}
        push-to-registry: ${{ inputs.push-to-registry }}
+        create-storage-record: ${{ inputs.create-storage-record }}
        show-summary: ${{ inputs.show-summary }}
        github-token: ${{ inputs.github-token }}
--- a/dist/606.index.js
+++ b/dist/606.index.js
@@ -19,7 +19,7 @@ async function pMap(
 		signal,
 	} = {},
 ) {
-	return new Promise((resolve, reject_) => {
+	return new Promise((resolve_, reject_) => {
 		if (iterable[Symbol.iterator] === undefined && iterable[Symbol.asyncIterator] === undefined) {
 			throw new TypeError(`Expected \`input\` to be either an \`Iterable\` or \`AsyncIterable\`, got (${typeof iterable})`);
 		}
@@ -42,10 +42,24 @@ async function pMap(
 		let currentIndex = 0;
 		const iterator = iterable[Symbol.iterator] === undefined ? iterable[Symbol.asyncIterator]() : iterable[Symbol.iterator]();

+		const signalListener = () => {
+			reject(signal.reason);
+		};
+
+		const cleanup = () => {
+			signal?.removeEventListener('abort', signalListener);
+		};
+
+		const resolve = value => {
+			resolve_(value);
+			cleanup();
+		};
+
 		const reject = reason => {
 			isRejected = true;
 			isResolved = true;
 			reject_(reason);
+			cleanup();
 		};

 		if (signal) {
@@ -53,9 +67,7 @@ async function pMap(
 				reject(signal.reason);
 			}

-			signal.addEventListener('abort', () => {
-				reject(signal.reason);
-			});
+			signal.addEventListener('abort', signalListener, {once: true});
 		}

 		const next = async () => {
--- a/dist/index.js
+++ b/dist/index.js
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -70,24 +70,24 @@
    ]
  },
  "dependencies": {
-    "@actions/attest": "^1.6.0",
+    "@actions/attest": "^2.1.0",
    "@actions/core": "^1.11.1"
  },
  "devDependencies": {
-    "@eslint/js": "^9.33.0",
+    "@eslint/js": "^9.39.2",
    "@types/jest": "^30.0.0",
-    "@types/node": "^24.2.1",
-    "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.33.0",
+    "@types/node": "^25.0.2",
+    "@vercel/ncc": "^0.38.4",
+    "eslint": "^9.39.2",
    "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-jest": "^29.0.1",
-    "jest": "^30.0.5",
+    "eslint-plugin-jest": "^29.5.0",
+    "jest": "^30.2.0",
    "jose": "^5.9.6",
-    "markdownlint-cli": "^0.45.0",
-    "nock": "^14.0.9",
-    "prettier": "^3.6.2",
-    "ts-jest": "^29.4.1",
-    "typescript": "^5.9.2",
-    "typescript-eslint": "^8.39.0"
+    "markdownlint-cli": "^0.47.0",
+    "nock": "^14.0.10",
+    "prettier": "^3.7.4",
+    "ts-jest": "^29.4.6",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.49.0"
  }
 }