Create Artifact Metadata Storage Record on registry push (#313)

* first pass at creating storage record

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include storage record param in action config

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use latest actions/attest version

Signed-off-by: Meredith Lancaster <malancas@github.com>

* update storage record params

Signed-off-by: Meredith Lancaster <malancas@github.com>

* include storage record id in result

Signed-off-by: Meredith Lancaster <malancas@github.com>

* regenerate dist

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add documentation on storage records

Signed-off-by: Meredith Lancaster <malancas@github.com>

* log storage record creation

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add storage record output

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add new param

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add storage record id output

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix linter errors

Signed-off-by: Meredith Lancaster <malancas@github.com>

* return all storage record ids

Signed-off-by: Meredith Lancaster <malancas@github.com>

* bump minor version

Signed-off-by: Meredith Lancaster <malancas@github.com>

* use expect string match function

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add try catch block for storage record creation

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix table column spacing

Signed-off-by: Meredith Lancaster <malancas@github.com>

* check for protocol

Signed-off-by: Meredith Lancaster <malancas@github.com>

* check for artifact url protocol

Signed-off-by: Meredith Lancaster <malancas@github.com>

* only fill registry_url for now

Signed-off-by: Meredith Lancaster <malancas@github.com>

* cleanup protocol handling

Signed-off-by: Meredith Lancaster <malancas@github.com>

* regenerate dist

Signed-off-by: Meredith Lancaster <malancas@github.com>

* handle subject name correctly

Signed-off-by: Meredith Lancaster <malancas@github.com>

* move test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add back assert statements

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add back output assert statements

Signed-off-by: Meredith Lancaster <malancas@github.com>

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* use url for subject name parsing

Signed-off-by: Meredith Lancaster <malancas@github.com>

* add missing test setpu

Signed-off-by: Meredith Lancaster <malancas@github.com>

* fix storage record fail test

Signed-off-by: Meredith Lancaster <malancas@github.com>

* regenerate dist

Signed-off-by: Meredith Lancaster <malancas@github.com>

---------

Signed-off-by: Meredith Lancaster <malancas@github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

.github/workflows/check-dist.yml

@@ -28,11 +28,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6.0.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6.1.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -60,7 +60,7 @@ jobs:
       - if: ${{ failure() && steps.diff.outcome == 'failure' }}
         name: Upload Artifact
         id: upload
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v6
         with:
           name: dist
           path: dist/

.github/workflows/ci.yml

@@ -21,11 +21,11 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
 
       - name: Setup Node.js
         id: setup-node
-        uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version-file: .node-version
           cache: npm
@@ -58,7 +58,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5.0.1
       - name: Calculate subject digest
         id: subject
         env:

.github/workflows/codeql-analysis.yml

@@ -32,19 +32,19 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6.0.1
 
       - name: Initialize CodeQL
         id: initialize
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: ${{ matrix.language }}
           source-root: src
 
       - name: Autobuild
         id: autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4

README.md

@@ -52,11 +52,13 @@ attest:
    permissions:
      id-token: write
      attestations: write
+     artifact-metadata: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
    necessary to request a Sigstore signing certificate. The `attestations`
-   permission is necessary to persist the attestation.
+   permission is necessary to persist the attestation. The `artifact-metadata`
+   permission is necessary to create the artifact storage record.
 
 1. Add the following to your workflow after your artifact has been built:
 
@@ -118,6 +120,12 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to create a storage record for the artifact.
+    # Requires that push-to-registry is set to true.
+    # Requires that the "subject-name" parameter specify the fully-qualified
+    # image name. Defaults to true.
+    create-storage-record:
+
     # Whether to attach a list of generated attestations to the workflow run
     # summary page. Defaults to true.
     show-summary:
@@ -131,11 +139,12 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name              | Description                                                    | Example                                          |
-| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
-| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
-| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
-| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
+| Name                 | Description                                                    | Example                                          |
+| -------------------  | -------------------------------------------------------------- | ------------------------------------------------ |
+| `attestation-id`     | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url`    | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`        | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
+| `storage-record-ids` | GitHub IDs for the storage records                             | `987654`                                         |
 
 <!-- markdownlint-enable MD013 -->
 
@@ -269,6 +278,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
+If the `push-to-registry` option is set to true, the Action will also
+emit an Artifact Metadata Storage Record. If you do not want to emit a
+storage record, set `create-storage-record` to `false`.
+
 > **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
 > portion of the image name.
 
@@ -287,6 +300,7 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}

__tests__/main.test.ts

@@ -9,6 +9,7 @@ import * as core from '@actions/core'
 import * as github from '@actions/github'
 import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
 import * as oci from '@sigstore/oci'
+import * as attest from '@actions/attest'
 import fs from 'fs/promises'
 import nock from 'nock'
 import os from 'os'
@@ -19,6 +20,7 @@ import * as main from '../src/main'
 
 // Mock the GitHub Actions core library
 const infoMock = jest.spyOn(core, 'info')
+const warningMock = jest.spyOn(core, 'warning')
 const startGroupMock = jest.spyOn(core, 'startGroup')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
@@ -45,6 +47,7 @@ const defaultInputs: main.RunInputs = {
   subjectPath: '',
   subjectChecksums: '',
   pushToRegistry: false,
+  createStorageRecord: true,
   showSummary: true,
   githubToken: '',
   privateSigning: false
@@ -66,13 +69,14 @@ describe('action', () => {
     'base64'
   )}.}`
 
-  const subjectName = 'registry/foo/bar'
+  const subjectName = 'ghcr.io/registry/foo/bar'
   const subjectDigest =
     'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
   const predicate = '{}'
   const predicateType = 'https://in-toto.io/attestation/release/v0.1'
 
   const attestationID = '1234567890'
+  const storageRecordID = 987654321
 
   beforeEach(() => {
     jest.clearAllMocks()
@@ -82,14 +86,21 @@ describe('action', () => {
       .query({ audience: 'sigstore' })
       .reply(200, { value: oidcToken })
 
-    mockAgent
-      .get('https://api.github.com')
+    const pool = mockAgent.get('https://api.github.com')
+    pool
       .intercept({
         path: /^\/repos\/.*\/.*\/attestations$/,
         method: 'post'
       })
       .reply(201, { id: attestationID })
 
+    pool
+      .intercept({
+        path: /^\/orgs\/.*\/artifacts\/metadata\/storage-record$/,
+        method: 'post'
+      })
+      .reply(200, { storage_records: [{ id: storageRecordID }] })
+
     process.env = {
       ...originalEnv,
       ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
@@ -263,6 +274,7 @@ describe('action', () => {
       expect(setFailedMock).not.toHaveBeenCalled()
       expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
       expect(attachArtifactSpy).toHaveBeenCalled()
+      expect(warningMock).not.toHaveBeenCalled()
       expect(infoMock).toHaveBeenNthCalledWith(
         1,
         expect.stringMatching(
@@ -293,6 +305,14 @@ describe('action', () => {
         6,
         expect.stringMatching(attestationID)
       )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        9,
+        expect.stringMatching('Storage record created')
+      )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        10,
+        expect.stringMatching('Storage record IDs: 987654321')
+      )
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
@@ -308,8 +328,30 @@ describe('action', () => {
         'attestation-url',
         expect.stringContaining(`foo/bar/attestations/${attestationID}`)
       )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        4,
+        'storage-record-ids',
+        expect.stringMatching(storageRecordID.toString())
+      )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
+
+    it('catches error when storage record creation fails and continues', async () => {
+      // Mock the createStorageRecord function and throw an error
+      const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
+      createStorageRecordSpy.mockRejectedValueOnce(
+        new Error('Failed to persist storage record: Not Found')
+      )
+
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(warningMock).toHaveBeenNthCalledWith(
+        1,
+        expect.stringMatching('Failed to create storage record')
+      )
+    })
   })
 
   describe('when the subject count is greater than 1', () => {

action.yml

@@ -53,6 +53,12 @@ inputs:
       the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  create-storage-record:
+    description: >
+      Whether to create a storage record for the artifact.
+      Requires that push-to-registry is set to true. Defaults to true.
+    default: true
+    required: false
   show-summary:
     description: >
       Whether to attach a list of generated attestations to the workflow run
@@ -71,6 +77,8 @@ outputs:
     description: 'The ID of the attestation.'
   attestation-url:
     description: 'The URL for the attestation summary.'
+  storage-record-ids:
+    description: 'The IDs of the storage records created for the artifact.'
 
 runs:
   using: node24

package.json

@@ -1,7 +1,7 @@
 {
   "name": "actions/attest",
   "description": "Generate signed attestations for workflow artifacts",
-  "version": "3.0.0",
+  "version": "3.1.0",
   "author": "",
   "private": true,
   "homepage": "https://github.com/actions/attest",
@@ -69,31 +69,31 @@
     ]
   },
   "dependencies": {
-    "@actions/attest": "^1.6.0",
-    "@actions/core": "^1.11.1",
+    "@actions/attest": "^2.1.0",
+    "@actions/core": "^2.0.1",
     "@actions/github": "^6.0.1",
     "@actions/glob": "^0.5.0",
     "@sigstore/oci": "^0.6.0",
     "csv-parse": "^5.6.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.34.0",
+    "@eslint/js": "^9.39.2",
     "@sigstore/mock": "^0.11.0",
     "@types/jest": "^30.0.0",
     "@types/make-fetch-happen": "^10.0.4",
-    "@types/node": "^24.3.0",
-    "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.34.0",
+    "@types/node": "^25.0.2",
+    "@vercel/ncc": "^0.38.4",
+    "eslint": "^9.39.2",
     "eslint-plugin-import": "^2.32.0",
-    "eslint-plugin-jest": "^29.0.1",
-    "jest": "^30.0.5",
-    "js-yaml": "^4.1.0",
-    "markdownlint-cli": "^0.45.0",
+    "eslint-plugin-jest": "^29.5.0",
+    "jest": "^30.2.0",
+    "js-yaml": "^4.1.1",
+    "markdownlint-cli": "^0.47.0",
     "nock": "^13.5.6",
-    "prettier": "^3.6.2",
-    "ts-jest": "^29.4.1",
-    "typescript": "^5.9.2",
-    "typescript-eslint": "^8.41.0",
+    "prettier": "^3.7.4",
+    "ts-jest": "^29.4.6",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.50.0",
     "undici": "^5.29.0"
   }
 }

src/attest.ts

@@ -1,6 +1,13 @@
-import { Attestation, Predicate, Subject, attest } from '@actions/attest'
+import {
+  Attestation,
+  Predicate,
+  Subject,
+  attest,
+  createStorageRecord
+} from '@actions/attest'
 import { attachArtifactToImage, getRegistryCredentials } from '@sigstore/oci'
 import { formatSubjectDigest } from './subject'
+import * as core from '@actions/core'
 
 const OCI_TIMEOUT = 30000
 const OCI_RETRY = 3
@@ -8,6 +15,7 @@ const OCI_RETRY = 3
 export type SigstoreInstance = 'public-good' | 'github'
 export type AttestResult = Attestation & {
   attestationDigest?: string
+  storageRecordIds?: number[]
 }
 
 export const createAttestation = async (
@@ -16,6 +24,7 @@ export const createAttestation = async (
   opts: {
     sigstoreInstance: SigstoreInstance
     pushToRegistry: boolean
+    createStorageRecord: boolean
     githubToken: string
   }
 ): Promise<AttestResult> => {
@@ -33,10 +42,11 @@ export const createAttestation = async (
   if (subjects.length === 1 && opts.pushToRegistry) {
     const subject = subjects[0]
     const credentials = getRegistryCredentials(subject.name)
+    const subjectDigest = formatSubjectDigest(subject)
     const artifact = await attachArtifactToImage({
       credentials,
       imageName: subject.name,
-      imageDigest: formatSubjectDigest(subject),
+      imageDigest: subjectDigest,
       artifact: Buffer.from(JSON.stringify(attestation.bundle)),
       mediaType: attestation.bundle.mediaType,
       annotations: {
@@ -48,7 +58,57 @@ export const createAttestation = async (
 
     // Add the attestation's digest to the result
     result.attestationDigest = artifact.digest
+
+    // Because creating a storage record requires the 'artifact-metadata:write'
+    // permission, we wrap this in a try/catch to avoid failing the entire
+    // attestation process if the token does not have the correct permissions.
+    if (opts.createStorageRecord) {
+      try {
+        const registryUrl = getRegistryURL(subject.name)
+        const artifactOpts = {
+          name: subject.name,
+          digest: subjectDigest
+        }
+        const packageRegistryOpts = {
+          registryUrl
+        }
+        const records = await createStorageRecord(
+          artifactOpts,
+          packageRegistryOpts,
+          opts.githubToken
+        )
+
+        if (!records || records.length === 0) {
+          core.warning('No storage records were created.')
+        }
+
+        result.storageRecordIds = records
+      } catch (error) {
+        core.warning(`Failed to create storage record: ${error}`)
+        core.warning(
+          'Please check that the "artifact-metadata:write" permission has been included'
+        )
+      }
+    }
   }
 
   return result
 }
+
+function getRegistryURL(subjectName: string): string {
+  let url: URL
+
+  try {
+    url = new URL(subjectName)
+  } catch {
+    url = new URL(`https://${subjectName}`)
+  }
+
+  if (url.protocol !== 'https:') {
+    throw new Error(
+      `Unsupported protocol ${url.protocol} in subject name ${subjectName}`
+    )
+  }
+
+  return url.origin
+}

src/index.ts

@@ -13,6 +13,7 @@ const inputs: RunInputs = {
   predicate: core.getInput('predicate'),
   predicatePath: core.getInput('predicate-path'),
   pushToRegistry: core.getBooleanInput('push-to-registry'),
+  createStorageRecord: core.getBooleanInput('create-storage-record'),
   showSummary: core.getBooleanInput('show-summary'),
   githubToken: core.getInput('github-token'),
   // undocumented -- not part of public interface

src/main.ts

@@ -21,6 +21,7 @@ const ATTESTATION_PATHS_FILE_NAME = 'created_attestation_paths.txt'
 export type RunInputs = SubjectInputs &
   PredicateInputs & {
     pushToRegistry: boolean
+    createStorageRecord: boolean
     githubToken: string
     showSummary: boolean
     privateSigning: boolean
@@ -69,6 +70,7 @@ export async function run(inputs: RunInputs): Promise<void> {
     const att = await createAttestation(subjects, predicate, {
       sigstoreInstance,
       pushToRegistry: inputs.pushToRegistry,
+      createStorageRecord: inputs.createStorageRecord,
       githubToken: inputs.githubToken
     })
 
@@ -100,6 +102,9 @@ export async function run(inputs: RunInputs): Promise<void> {
       core.setOutput('attestation-id', att.attestationID)
       core.setOutput('attestation-url', attestationURL(att.attestationID))
     }
+    if (att.storageRecordIds) {
+      core.setOutput('storage-record-ids', att.storageRecordIds.join(','))
+    }
 
     /* istanbul ignore else */
     if (inputs.showSummary) {
@@ -169,6 +174,11 @@ const logAttestation = (
     core.info(style.highlight('Attestation uploaded to registry'))
     core.info(`${subjects[0].name}@${attestation.attestationDigest}`)
   }
+
+  if (attestation.storageRecordIds && attestation.storageRecordIds.length > 0) {
+    core.info(style.highlight('Storage record created'))
+    core.info(`Storage record IDs: ${attestation.storageRecordIds.join(',')}`)
+  }
 }
 
 // Attach summary information to the GitHub Actions run