Update version to 3.2.0 (#334)

* update version to 3.2.0

Signed-off-by: Meredith Lancaster <malancas@github.com>

* regenerate package-lock

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>

.github/linters/.yaml-lint.yml

@@ -1,10 +0,0 @@
-rules:
-  document-end: disable
-  document-start:
-    level: warning
-    present: false
-  line-length:
-    level: warning
-    max: 80
-    allow-non-breakable-words: true
-    allow-non-breakable-inline-mappings: true

.github/linters/tsconfig.json

@@ -1,9 +0,0 @@
-{
-  "$schema": "https://json.schemastore.org/tsconfig",
-  "extends": "../../tsconfig.json",
-  "compilerOptions": {
-    "noEmit": true
-  },
-  "include": ["../../__tests__/**/*", "../../src/**/*"],
-  "exclude": ["../../dist", "../../node_modules", "../../coverage", "*.json"]
-}

.github/workflows/check-dist.yml

@@ -28,11 +28,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6.1.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -60,7 +60,7 @@ jobs:
       - if: ${{ failure() && steps.diff.outcome == 'failure' }}
         name: Upload Artifact
         id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: dist
           path: dist/

.github/workflows/ci.yml

@@ -21,11 +21,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -58,7 +58,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
       - name: Calculate subject digest
         id: subject
         env:

.github/workflows/codeql-analysis.yml

@@ -32,19 +32,19 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.1
 
       - name: Initialize CodeQL
         id: initialize
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           source-root: src
 
       - name: Autobuild
         id: autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

.github/workflows/linter.yml

@@ -1,50 +0,0 @@
-name: Lint Codebase
-
-on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
-permissions:
-  contents: read
-  packages: read
-  statuses: write
-
-jobs:
-  lint:
-    name: Lint Codebase
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        id: checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Node.js
-        id: setup-node
-        uses: actions/setup-node@v4
-        with:
-          node-version-file: .node-version
-          cache: npm
-
-      - name: Install Dependencies
-        id: install
-        run: npm ci
-
-      - name: Lint Codebase
-        id: super-linter
-        uses: super-linter/super-linter/slim@v7
-        env:
-          DEFAULT_BRANCH: main
-          FILTER_REGEX_EXCLUDE: dist/**/*
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TYPESCRIPT_DEFAULT_STYLE: prettier
-          VALIDATE_ALL_CODEBASE: true
-          VALIDATE_JAVASCRIPT_STANDARD: false
-          VALIDATE_TYPESCRIPT_STANDARD: false
-          VALIDATE_JSCPD: false

.github/workflows/publish-immutable-actions.yml

@@ -1,22 +0,0 @@
-name: 'Publish Immutable Action Version'
-
-on:
-  release:
-    types: [published]
-
-permissions: {}
-
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
-      packages: write
-
-    steps:
-      - name: Checking out
-        uses: actions/checkout@v4
-      - name: Publish
-        id: publish
-        uses: actions/publish-immutable-action@v0.0.4

.node-version

@@ -1 +1 @@
-20.6.0
+24.5.0

README.md

@@ -18,6 +18,12 @@ Once the attestation has been created and signed, it will be uploaded to the GH
 attestations API and associated with the repository from which the workflow was
 initiated.
 
+When an attestation is created, the attestation is stored on the local
+filesystem used by the runner. For each attestation created, the filesystem path
+will be appended to the file `${RUNNER_TEMP}/created_attestation_paths.txt`.
+This can be used to gather all attestations created by all jobs during a the
+workflow.
+
 Attestations can be verified using the [`attestation` command in the GitHub
 CLI][5].
 
@@ -27,11 +33,12 @@ information on artifact attestations.
 <!-- prettier-ignore-start -->
 > [!NOTE]
 > Artifact attestations are available in public repositories for all
-> current GitHub plans. They are not available on legacy plans, such as Bronze,
-> Silver, or Gold. If you are on a GitHub Free, GitHub Pro, or GitHub Team plan,
-> artifact attestations are only available for public repositories. To use
-> artifact attestations in private or internal repositories, you must be on a
-> GitHub Enterprise Cloud plan.
+> current GitHub plans.
+>
+> To use artifact attestations in private or internal repositories, you must
+> be on a GitHub Enterprise Cloud plan.
+>
+> Artifact attestations are NOT supported on GitHub Enterprise Server.
 <!-- prettier-ignore-end -->
 
 ## Usage
@@ -45,11 +52,13 @@ attest:
    permissions:
      id-token: write
      attestations: write
+     artifact-metadata: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
    necessary to request a Sigstore signing certificate. The `attestations`
-   permission is necessary to persist the attestation.
+   permission is necessary to persist the attestation. The `artifact-metadata`
+   permission is necessary to create the artifact storage record.
 
 1. Add the following to your workflow after your artifact has been built:
 
@@ -64,7 +73,7 @@ attest:
    The `subject-path` parameter should identify the artifact for which you want
    to generate an attestation. The `predicate-type` can be any of the the
    [vetted predicate types][3] or a custom value. The `predicate-path`
-   identifies a file containg the JSON-encoded predicate parameters.
+   identifies a file containing the JSON-encoded predicate parameters.
 
 ### Inputs
 
@@ -111,6 +120,12 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to create a storage record for the artifact.
+    # Requires that push-to-registry is set to true.
+    # Requires that the "subject-name" parameter specify the fully-qualified
+    # image name. Defaults to true.
+    create-storage-record:
+
     # Whether to attach a list of generated attestations to the workflow run
     # summary page. Defaults to true.
     show-summary:
@@ -124,11 +139,12 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name              | Description                                                    | Example                                          |
-| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
-| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
-| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
-| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
+| Name                 | Description                                                    | Example                                          |
+| -------------------  | -------------------------------------------------------------- | ------------------------------------------------ |
+| `attestation-id`     | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url`    | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`        | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
+| `storage-record-ids` | GitHub IDs for the storage records                             | `987654`                                         |
 
 <!-- markdownlint-enable MD013 -->
 
@@ -262,6 +278,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
+If the `push-to-registry` option is set to true, the Action will also
+emit an Artifact Metadata Storage Record. If you do not want to emit a
+storage record, set `create-storage-record` to `false`.
+
 > **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
 > portion of the image name.
 
@@ -280,6 +300,7 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}

__tests__/main.test.ts

@@ -9,6 +9,8 @@ import * as core from '@actions/core'
 import * as github from '@actions/github'
 import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
 import * as oci from '@sigstore/oci'
+import * as attest from '@actions/attest'
+import * as localAttest from '../src/attest'
 import fs from 'fs/promises'
 import nock from 'nock'
 import os from 'os'
@@ -19,6 +21,7 @@ import * as main from '../src/main'
 
 // Mock the GitHub Actions core library
 const infoMock = jest.spyOn(core, 'info')
+const warningMock = jest.spyOn(core, 'warning')
 const startGroupMock = jest.spyOn(core, 'startGroup')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
@@ -27,7 +30,7 @@ const setFailedMock = jest.spyOn(core, 'setFailed')
 setFailedMock.mockImplementation(() => {})
 
 const summaryWriteMock = jest.spyOn(core.summary, 'write')
-summaryWriteMock.mockImplementation(async () => Promise.resolve(core.summary))
+summaryWriteMock.mockResolvedValue(core.summary)
 
 // Mock the action's main function
 const runMock = jest.spyOn(main, 'run')
@@ -45,6 +48,7 @@ const defaultInputs: main.RunInputs = {
   subjectPath: '',
   subjectChecksums: '',
   pushToRegistry: false,
+  createStorageRecord: true,
   showSummary: true,
   githubToken: '',
   privateSigning: false
@@ -66,13 +70,14 @@ describe('action', () => {
     'base64'
   )}.}`
 
-  const subjectName = 'registry/foo/bar'
+  const subjectName = 'ghcr.io/registry/foo/bar'
   const subjectDigest =
     'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
   const predicate = '{}'
   const predicateType = 'https://in-toto.io/attestation/release/v0.1'
 
   const attestationID = '1234567890'
+  const storageRecordID = 987654321
 
   beforeEach(() => {
     jest.clearAllMocks()
@@ -82,14 +87,21 @@ describe('action', () => {
       .query({ audience: 'sigstore' })
       .reply(200, { value: oidcToken })
 
-    mockAgent
-      .get('https://api.github.com')
+    const pool = mockAgent.get('https://api.github.com')
+    pool
       .intercept({
         path: /^\/repos\/.*\/.*\/attestations$/,
         method: 'post'
       })
       .reply(201, { id: attestationID })
 
+    pool
+      .intercept({
+        path: /^\/orgs\/.*\/artifacts\/metadata\/storage-record$/,
+        method: 'post'
+      })
+      .reply(200, { storage_records: [{ id: storageRecordID }] })
+
     process.env = {
       ...originalEnv,
       ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
@@ -219,6 +231,9 @@ describe('action', () => {
   describe('when the repository is public', () => {
     const getRegCredsSpy = jest.spyOn(oci, 'getRegistryCredentials')
     const attachArtifactSpy = jest.spyOn(oci, 'attachArtifactToImage')
+    const repoOwnerIsOrgSpy = jest.spyOn(localAttest, 'repoOwnerIsOrg')
+    const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
+    const createAttestationSpy = jest.spyOn(localAttest, 'createAttestation')
 
     const inputs: main.RunInputs = {
       ...defaultInputs,
@@ -247,13 +262,12 @@ describe('action', () => {
         username: 'username',
         password: 'password'
       }))
-      attachArtifactSpy.mockImplementation(async () =>
-        Promise.resolve({
-          digest: 'sha256:123456',
-          mediaType: 'application/vnd.cncf.notary.v2',
-          size: 123456
-        })
-      )
+      attachArtifactSpy.mockResolvedValue({
+        digest: 'sha256:123456',
+        mediaType: 'application/vnd.cncf.notary.v2',
+        size: 123456
+      })
+      repoOwnerIsOrgSpy.mockResolvedValue(true)
     })
 
     it('invokes the action w/o error', async () => {
@@ -263,6 +277,10 @@ describe('action', () => {
       expect(setFailedMock).not.toHaveBeenCalled()
       expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
       expect(attachArtifactSpy).toHaveBeenCalled()
+      expect(createAttestationSpy).toHaveBeenCalled()
+      expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
+      expect(createStorageRecordSpy).toHaveBeenCalled()
+      expect(warningMock).not.toHaveBeenCalled()
       expect(infoMock).toHaveBeenNthCalledWith(
         1,
         expect.stringMatching(
@@ -293,6 +311,14 @@ describe('action', () => {
         6,
         expect.stringMatching(attestationID)
       )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        9,
+        expect.stringMatching('Storage record created')
+      )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        10,
+        expect.stringMatching('Storage record IDs: 987654321')
+      )
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
@@ -308,6 +334,65 @@ describe('action', () => {
         'attestation-url',
         expect.stringContaining(`foo/bar/attestations/${attestationID}`)
       )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        4,
+        'storage-record-ids',
+        expect.stringMatching(storageRecordID.toString())
+      )
+      expect(setFailedMock).not.toHaveBeenCalled()
+    })
+
+    it('catches error when storage record creation fails and continues', async () => {
+      // Mock the createStorageRecord function and throw an error
+      createStorageRecordSpy.mockRejectedValueOnce(
+        new Error('Failed to persist storage record: Not Found')
+      )
+
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(createAttestationSpy).toHaveBeenCalled()
+      expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
+      expect(createStorageRecordSpy).toHaveBeenCalled()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(warningMock).toHaveBeenNthCalledWith(
+        1,
+        expect.stringMatching('Failed to create storage record')
+      )
+    })
+
+    it('does not create a storage record when the repo is owned by a user', async () => {
+      repoOwnerIsOrgSpy.mockResolvedValueOnce(false)
+
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
+      expect(attachArtifactSpy).toHaveBeenCalled()
+      expect(createAttestationSpy).toHaveBeenCalled()
+      expect(repoOwnerIsOrgSpy).toHaveBeenCalled()
+      expect(createStorageRecordSpy).not.toHaveBeenCalled()
+      expect(warningMock).not.toHaveBeenCalled()
+      expect(infoMock).toHaveBeenCalledWith(
+        expect.stringMatching(
+          `Attestation created for ${subjectName}@${subjectDigest}`
+        )
+      )
+      expect(infoMock).not.toHaveBeenCalledWith(
+        expect.stringMatching('Storage record created')
+      )
+      expect(infoMock).not.toHaveBeenCalledWith(
+        expect.stringMatching('Storage record IDs: 987654321')
+      )
+      expect(setOutputMock).toHaveBeenCalledWith(
+        'attestation-id',
+        expect.stringMatching(attestationID)
+      )
+      expect(setOutputMock).not.toHaveBeenCalledWith(
+        'storage-record-ids',
+        expect.stringMatching(storageRecordID.toString())
+      )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
   })

__tests__/subject.test.ts

@@ -99,7 +99,7 @@ describe('subjectFromInputs', () => {
       })
     })
 
-    describe('when the alogrithm is not supported', () => {
+    describe('when the algorithm is not supported', () => {
       it('throws an error', async () => {
         const inputs: SubjectInputs = {
           ...blankInputs,
@@ -473,6 +473,13 @@ badline
               '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
           }
         })
+        expect(subjects).toContainEqual({
+          name: 'demo_0.0.1_darwin_arm64',
+          digest: {
+            sha512:
+              '5d8b4751ef31f9440d843fcfa4e53ca2e25b1cb1f13fd355fdc7c24b41fe645293291ea9297ba3989078abb77ebbaac66be073618a9e4974dbd0361881d4c718'
+          }
+        })
       })
     })
   })
@@ -480,8 +487,8 @@ badline
   describe('when specifying a subject checksums string', () => {
     const checksums = `
 f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_linux_386
-187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d  demo_0.0.1_linux_amd64
-9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5  demo_0.0.1_linux_arm64`
+187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d *demo_0.0.1_linux_amd64
+9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5 demo_0.0.1_linux_arm64`
 
     it('returns the multiple subjects', async () => {
       const inputs: SubjectInputs = {
@@ -500,6 +507,20 @@ f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e  demo_0.0.1_lin
             'f861e68a080799ca83104630b56abb90d8dbcc5f8b5a8639cb691e269838f29e'
         }
       })
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_amd64',
+        digest: {
+          sha256:
+            '187dcd1506a170337415589ff00c8743f19d41cc31fca246c2739dfd450d0b9d'
+        }
+      })
+      expect(subjects).toContainEqual({
+        name: 'demo_0.0.1_linux_arm64',
+        digest: {
+          sha256:
+            '9ecbf449e286a8a8748c161c52aa28b6b2fc64ab86f94161c5d1b3abc18156c5'
+        }
+      })
     })
   })
 

action.yml

@@ -53,6 +53,12 @@ inputs:
       the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  create-storage-record:
+    description: >
+      Whether to create a storage record for the artifact.
+      Requires that push-to-registry is set to true. Defaults to true.
+    default: true
+    required: false
   show-summary:
     description: >
       Whether to attach a list of generated attestations to the workflow run
@@ -71,7 +77,9 @@ outputs:
     description: 'The ID of the attestation.'
   attestation-url:
     description: 'The URL for the attestation summary.'
+  storage-record-ids:
+    description: 'The IDs of the storage records created for the artifact.'
 
 runs:
-  using: node20
+  using: node24
   main: ./dist/index.js

eslint.config.mjs

@@ -1,13 +1,14 @@
 import eslint from '@eslint/js'
 import importplugin from 'eslint-plugin-import'
 import jestplugin from 'eslint-plugin-jest'
+import path from 'node:path'
 import tseslint from 'typescript-eslint'
 
 export default tseslint.config(
   // Ignore non-project files
   {
     name: 'ignore',
-    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js']
+    ignores: ['.github', 'dist', 'coverage', '**/*.json', 'jest.setup.js', 'eslint.config.mjs']
   },
   // Use recommended rules from ESLint, TypeScript, and other plugins
   eslint.configs.recommended,
@@ -21,7 +22,7 @@ export default tseslint.config(
     languageOptions: {
       ecmaVersion: 2023,
       parserOptions: {
-        project: ['./.github/linters/tsconfig.json', './tsconfig.json']
+        project: [ './tsconfig.lint.json' ]
       }
     },
     rules: {

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "2.2.0",
+  "version": "3.2.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -20,15 +20,15 @@
     ".": "./dist/index.js"
   },
   "engines": {
-    "node": ">=20"
+    "node": ">=24"
   },
   "scripts": {
     "bundle": "npm run format:write && npm run package",
     "ci-test": "jest",
     "format:write": "prettier --write **/*.ts",
     "format:check": "prettier --check **/*.ts",
-    "lint:eslint": "npx eslint . -c ./.github/linters/eslint.config.mjs",
-    "lint:markdown": "npx markdownlint --config .github/linters/.markdown-lint.yml \"*.md\"",
+    "lint:eslint": "npx eslint",
+    "lint:markdown": "npx markdownlint --config .markdown-lint.yml \"*.md\"",
     "lint": "npm run lint:eslint && npm run lint:markdown",
     "package": "ncc build src/index.ts --license licenses.txt",
     "package:watch": "npm run package -- --watch",
@@ -69,31 +69,31 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.5.0",
-    "@actions/core": "^1.11.1",
-    "@actions/github": "^6.0.0",
+    "@actions/attest": "^2.1.0",
+    "@actions/core": "^2.0.1",
+    "@actions/github": "^6.0.1",
     "@actions/glob": "^0.5.0",
-    "@sigstore/oci": "^0.4.0",
+    "@sigstore/oci": "^0.6.0",
     "csv-parse": "^5.6.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.18.0",
-    "@sigstore/mock": "^0.9.0",
-    "@types/jest": "^29.5.14",
+    "@eslint/js": "^9.39.2",
+    "@sigstore/mock": "^0.11.0",
+    "@types/jest": "^30.0.0",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^22.10.7",
-    "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.18.0",
-    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-jest": "^28.11.0",
-    "jest": "^29.7.0",
-    "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.43.0",
+    "@types/node": "^25.0.3",
+    "@vercel/ncc": "^0.38.4",
+    "eslint": "^9.39.2",
+    "eslint-plugin-import": "^2.32.0",
+    "eslint-plugin-jest": "^29.9.0",
+    "jest": "^30.2.0",
+    "js-yaml": "^4.1.1",
+    "markdownlint-cli": "^0.47.0",
     "nock": "^13.5.6",
-    "prettier": "^3.4.2",
-    "ts-jest": "^29.2.5",
-    "typescript": "^5.7.3",
-    "typescript-eslint": "^8.21.0",
-    "undici": "^5.28.4"
+    "prettier": "^3.7.4",
+    "ts-jest": "^29.4.6",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.50.1",
+    "undici": "^7.18.2"
   }
 }

src/attest.ts

@@ -1,6 +1,14 @@
-import { Attestation, Predicate, Subject, attest } from '@actions/attest'
+import {
+  Attestation,
+  Predicate,
+  Subject,
+  attest,
+  createStorageRecord
+} from '@actions/attest'
 import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
 import { formatSubjectDigest } from './subject'
+import * as core from '@actions/core'
+import * as github from '@actions/github'
 
 const OCI_TIMEOUT = 30000
 const OCI_RETRY = 3
@@ -8,6 +16,7 @@ const OCI_RETRY = 3
 export type SigstoreInstance = 'public-good' | 'github'
 export type AttestResult = Attestation & {
   attestationDigest?: string
+  storageRecordIds?: number[]
 }
 
 export const createAttestation = async (
@@ -16,6 +25,7 @@ export const createAttestation = async (
   opts: {
     sigstoreInstance: SigstoreInstance
     pushToRegistry: boolean
+    createStorageRecord: boolean
     githubToken: string
   }
 ): Promise<AttestResult> => {
@@ -33,10 +43,11 @@ export const createAttestation = async (
   if (subjects.length === 1 && opts.pushToRegistry) {
     const subject = subjects[0]
     const credentials = getRegistryCredentials(subject.name)
+    const subjectDigest = formatSubjectDigest(subject)
     const artifact = await attachArtifactToImage({
       credentials,
       imageName: subject.name,
-      imageDigest: formatSubjectDigest(subject),
+      imageDigest: subjectDigest,
       artifact: Buffer.from(JSON.stringify(attestation.bundle)),
       mediaType: attestation.bundle.mediaType,
       annotations: {
@@ -48,7 +59,78 @@ export const createAttestation = async (
 
     // Add the attestation's digest to the result
     result.attestationDigest = artifact.digest
+
+    // Because creating a storage record requires the 'artifact-metadata:write'
+    // permission, we wrap this in a try/catch to avoid failing the entire
+    // attestation process if the token does not have the correct permissions.
+    if (opts.createStorageRecord) {
+      try {
+        const token = opts.githubToken
+        const isOrg = await repoOwnerIsOrg(token)
+        if (!isOrg) {
+          // The Artifact Metadata Storage Record API is only available to
+          // organizations. So if the repo owner is not an organization,
+          // storage record creation should not be attempted.
+          return result
+        }
+
+        const registryUrl = getRegistryURL(subject.name)
+        const artifactOpts = {
+          name: subject.name,
+          digest: subjectDigest
+        }
+        const packageRegistryOpts = {
+          registryUrl
+        }
+        const records = await createStorageRecord(
+          artifactOpts,
+          packageRegistryOpts,
+          token
+        )
+
+        if (!records || records.length === 0) {
+          core.warning('No storage records were created.')
+        }
+
+        result.storageRecordIds = records
+      } catch (error) {
+        core.warning(`Failed to create storage record: ${error}`)
+        core.warning(
+          'Please check that the "artifact-metadata:write" permission has been included'
+        )
+      }
+    }
   }
 
   return result
 }
+
+// Call the GET /repos/{owner}/{repo} endpoint to determine if the repo
+// owner is an organization. This is used to determine if storage
+// record creation should be attempted.
+export const repoOwnerIsOrg = async (githubToken: string): Promise<boolean> => {
+  const octokit = github.getOctokit(githubToken)
+  const { data: repo } = await octokit.rest.repos.get({
+    owner: github.context.repo.owner,
+    repo: github.context.repo.repo
+  })
+  return repo.owner?.type === 'Organization'
+}
+
+function getRegistryURL(subjectName: string): string {
+  let url: URL
+
+  try {
+    url = new URL(subjectName)
+  } catch {
+    url = new URL(`https://${subjectName}`)
+  }
+
+  if (url.protocol !== 'https:') {
+    throw new Error(
+      `Unsupported protocol ${url.protocol} in subject name ${subjectName}`
+    )
+  }
+
+  return url.origin
+}

src/index.ts

@@ -13,6 +13,7 @@ const inputs: RunInputs = {
   predicate: core.getInput('predicate'),
   predicatePath: core.getInput('predicate-path'),
   pushToRegistry: core.getBooleanInput('push-to-registry'),
+  createStorageRecord: core.getBooleanInput('create-storage-record'),
   showSummary: core.getBooleanInput('show-summary'),
   githubToken: core.getInput('github-token'),
   // undocumented -- not part of public interface

src/main.ts

@@ -16,10 +16,12 @@ import {
 import type { Subject } from '@actions/attest'
 
 const ATTESTATION_FILE_NAME = 'attestation.json'
+const ATTESTATION_PATHS_FILE_NAME = 'created_attestation_paths.txt'
 
 export type RunInputs = SubjectInputs &
   PredicateInputs & {
     pushToRegistry: boolean
+    createStorageRecord: boolean
     githubToken: string
     showSummary: boolean
     privateSigning: boolean
@@ -68,6 +70,7 @@ export async function run(inputs: RunInputs): Promise<void> {
     const att = await createAttestation(subjects, predicate, {
       sigstoreInstance,
       pushToRegistry: inputs.pushToRegistry,
+      createStorageRecord: inputs.createStorageRecord,
       githubToken: inputs.githubToken
     })
 
@@ -79,11 +82,31 @@ export async function run(inputs: RunInputs): Promise<void> {
       flag: 'a'
     })
 
+    const baseDir = process.env.RUNNER_TEMP
+    /* istanbul ignore else */
+    if (baseDir) {
+      const outputSummaryPath = path.join(baseDir, ATTESTATION_PATHS_FILE_NAME)
+      // Append the output path to the attestations paths file
+      fs.appendFileSync(outputSummaryPath, outputPath + os.EOL, {
+        encoding: 'utf-8',
+        flag: 'a'
+      })
+    } else {
+      core.warning(
+        'RUNNER_TEMP environment variable is not set. Cannot write attestation paths file.'
+      )
+    }
+
+    /* istanbul ignore else */
     if (att.attestationID) {
       core.setOutput('attestation-id', att.attestationID)
       core.setOutput('attestation-url', attestationURL(att.attestationID))
     }
+    if (att.storageRecordIds) {
+      core.setOutput('storage-record-ids', att.storageRecordIds.join(','))
+    }
 
+    /* istanbul ignore else */
     if (inputs.showSummary) {
       await logSummary(att)
     }
@@ -141,6 +164,7 @@ const logAttestation = (
     core.info(`${SEARCH_PUBLIC_GOOD_URL}?logIndex=${attestation.tlogID}`)
   }
 
+  /* istanbul ignore else */
   if (attestation.attestationID) {
     core.info(style.highlight('Attestation uploaded to repository'))
     core.info(attestationURL(attestation.attestationID))
@@ -150,12 +174,18 @@ const logAttestation = (
     core.info(style.highlight('Attestation uploaded to registry'))
     core.info(`${subjects[0].name}@${attestation.attestationDigest}`)
   }
+
+  if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) {
+    core.info(style.highlight('Storage record created'))
+    core.info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`)
+  }
 }
 
 // Attach summary information to the GitHub Actions run
 const logSummary = async (attestation: AttestResult): Promise<void> => {
   const { attestationID } = attestation
 
+  /* istanbul ignore else */
   if (attestationID) {
     const url = attestationURL(attestationID)
     core.summary.addHeading('Attestation Created', 3)

src/subject.ts

@@ -181,8 +181,14 @@ const getSubjectFromChecksumsString = (checksums: string): Subject[] => {
       continue
     }
 
-    // Swallow the type identifier character at the beginning of the name
-    const name = record.slice(delimIndex + 2)
+    // It's common for checksum records to have a leading flag character before
+    // the artifact name. It will be either a '*' or a space.
+    const flag_and_name = record.slice(delimIndex + 1)
+    const name =
+      flag_and_name.startsWith('*') || flag_and_name.startsWith(' ')
+        ? flag_and_name.slice(1)
+        : flag_and_name
+
     const digest = record.slice(0, delimIndex)
 
     if (!HEX_STRING_RE.test(digest)) {

tsconfig.json

@@ -5,6 +5,7 @@
     "module": "NodeNext",
     "rootDir": "./src",
     "moduleResolution": "NodeNext",
+    "isolatedModules": true,
     "baseUrl": "./",
     "sourceMap": true,
     "outDir": "./dist",

tsconfig.lint.json

@@ -0,0 +1,9 @@
+{
+  "$schema": "https://json.schemastore.org/tsconfig",
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": true
+  },
+  "include": ["./__tests__/**/*", "./src/**/*"],
+  "exclude": ["./dist", "./node_modules", "./coverage", "*.json"]
+}