Create Artifact Metadata Storage Record on registry push

README.md

@@ -52,11 +52,13 @@ attest:
    permissions:
      id-token: write
      attestations: write
+     artifact-metadata: write
    ```
 
    The `id-token` permission gives the action the ability to mint the OIDC token
    necessary to request a Sigstore signing certificate. The `attestations`
-   permission is necessary to persist the attestation.
+   permission is necessary to persist the attestation. The `artifact-metadata`
+   permission is necessary to create the artifact storage record.
 
 1. Add the following to your workflow after your artifact has been built:
 
@@ -118,6 +120,12 @@ See [action.yml](action.yml)
     # the "subject-digest" parameter be specified. Defaults to false.
     push-to-registry:
 
+    # Whether to create a storage record for the artifact.
+    # Requires that push-to-registry is set to true.
+    # Requires that the "subject-name" parameter specify the fully-qualified
+    # image name. Defaults to true.
+    create-storage-record:
+
     # Whether to attach a list of generated attestations to the workflow run
     # summary page. Defaults to true.
     show-summary:
@@ -131,11 +139,12 @@ See [action.yml](action.yml)
 
 <!-- markdownlint-disable MD013 -->
 
-| Name              | Description                                                    | Example                                          |
-| ----------------- | -------------------------------------------------------------- | ------------------------------------------------ |
-| `attestation-id`  | GitHub ID for the attestation                                  | `123456`                                         |
-| `attestation-url` | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
-| `bundle-path`     | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
+| Name                 | Description                                                    | Example                                          |
+| -------------------  | -------------------------------------------------------------- | ------------------------------------------------ |
+| `attestation-id`     | GitHub ID for the attestation                                  | `123456`                                         |
+| `attestation-url`    | URL for the attestation summary                                | `https://github.com/foo/bar/attestations/123456` |
+| `bundle-path`        | Absolute path to the file containing the generated attestation | `/tmp/attestation.json`                          |
+| `storage-record-ids` | GitHub IDs for the storage records                             | `987654`                                         |
 
 <!-- markdownlint-enable MD013 -->
 
@@ -269,6 +278,10 @@ fully-qualified image name (e.g. "ghcr.io/user/app" or
 "acme.azurecr.io/user/app"). Do NOT include a tag as part of the image name --
 the specific image being attested is identified by the supplied digest.
 
+If the `push-to-registry` option is set to true, the Action will also
+emit an Artifact Metadata Storage Record. If you do not want to emit a
+storage record, set `create-storage-record` to `false`.
+
 > **NOTE**: When pushing to Docker Hub, please use "docker.io" as the registry
 > portion of the image name.
 
@@ -287,6 +300,7 @@ jobs:
       packages: write
       contents: read
       attestations: write
+      artifact-metadata: write
     env:
       REGISTRY: ghcr.io
       IMAGE_NAME: ${{ github.repository }}

__tests__/main.test.ts

@@ -9,6 +9,7 @@ import * as core from '@actions/core'
 import * as github from '@actions/github'
 import { mockFulcio, mockRekor, mockTSA } from '@sigstore/mock'
 import * as oci from '@sigstore/oci'
+import * as attest from '@actions/attest'
 import fs from 'fs/promises'
 import nock from 'nock'
 import os from 'os'
@@ -19,6 +20,7 @@ import * as main from '../src/main'
 
 // Mock the GitHub Actions core library
 const infoMock = jest.spyOn(core, 'info')
+const warningMock = jest.spyOn(core, 'warning')
 const startGroupMock = jest.spyOn(core, 'startGroup')
 const setOutputMock = jest.spyOn(core, 'setOutput')
 const setFailedMock = jest.spyOn(core, 'setFailed')
@@ -45,6 +47,7 @@ const defaultInputs: main.RunInputs = {
   subjectPath: '',
   subjectChecksums: '',
   pushToRegistry: false,
+  createStorageRecord: true,
   showSummary: true,
   githubToken: '',
   privateSigning: false
@@ -66,13 +69,14 @@ describe('action', () => {
     'base64'
   )}.}`
 
-  const subjectName = 'registry/foo/bar'
+  const subjectName = 'ghcr.io/registry/foo/bar'
   const subjectDigest =
     'sha256:7d070f6b64d9bcc530fe99cc21eaaa4b3c364e0b2d367d7735671fa202a03b32'
   const predicate = '{}'
   const predicateType = 'https://in-toto.io/attestation/release/v0.1'
 
   const attestationID = '1234567890'
+  const storageRecordID = 987654321
 
   beforeEach(() => {
     jest.clearAllMocks()
@@ -82,14 +86,21 @@ describe('action', () => {
       .query({ audience: 'sigstore' })
       .reply(200, { value: oidcToken })
 
-    mockAgent
-      .get('https://api.github.com')
+    const pool = mockAgent.get('https://api.github.com')
+    pool
       .intercept({
         path: /^\/repos\/.*\/.*\/attestations$/,
         method: 'post'
       })
       .reply(201, { id: attestationID })
 
+    pool
+      .intercept({
+        path: /^\/orgs\/.*\/artifacts\/metadata\/storage-record$/,
+        method: 'post'
+      })
+      .reply(200, { storage_records: [{ id: storageRecordID }] })
+
     process.env = {
       ...originalEnv,
       ACTIONS_ID_TOKEN_REQUEST_URL: tokenURL,
@@ -263,6 +274,7 @@ describe('action', () => {
       expect(setFailedMock).not.toHaveBeenCalled()
       expect(getRegCredsSpy).toHaveBeenCalledWith(subjectName)
       expect(attachArtifactSpy).toHaveBeenCalled()
+      expect(warningMock).not.toHaveBeenCalled()
       expect(infoMock).toHaveBeenNthCalledWith(
         1,
         expect.stringMatching(
@@ -293,6 +305,14 @@ describe('action', () => {
         6,
         expect.stringMatching(attestationID)
       )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        9,
+        expect.stringMatching('Storage record created')
+      )
+      expect(infoMock).toHaveBeenNthCalledWith(
+        10,
+        expect.stringMatching('Storage record IDs: 987654321')
+      )
       expect(setOutputMock).toHaveBeenNthCalledWith(
         1,
         'bundle-path',
@@ -308,8 +328,30 @@ describe('action', () => {
         'attestation-url',
         expect.stringContaining(`foo/bar/attestations/${attestationID}`)
       )
+      expect(setOutputMock).toHaveBeenNthCalledWith(
+        4,
+        'storage-record-ids',
+        expect.stringMatching(storageRecordID.toString())
+      )
       expect(setFailedMock).not.toHaveBeenCalled()
     })
+
+    it('catches error when storage record creation fails and continues', async () => {
+      // Mock the createStorageRecord function and throw an error
+      const createStorageRecordSpy = jest.spyOn(attest, 'createStorageRecord')
+      createStorageRecordSpy.mockRejectedValueOnce(
+        new Error('Failed to persist storage record: Not Found')
+      )
+
+      await main.run(inputs)
+
+      expect(runMock).toHaveReturned()
+      expect(setFailedMock).not.toHaveBeenCalled()
+      expect(warningMock).toHaveBeenNthCalledWith(
+        1,
+        expect.stringMatching('Failed to create storage record')
+      )
+    })
   })
 
   describe('when the subject count is greater than 1', () => {

action.yml

@@ -53,6 +53,12 @@ inputs:
       the "subject-digest" parameter be specified. Defaults to false.
     default: false
     required: false
+  create-storage-record:
+    description: >
+      Whether to create a storage record for the artifact.
+      Requires that push-to-registry is set to true. Defaults to true.
+    default: true
+    required: false
   show-summary:
     description: >
       Whether to attach a list of generated attestations to the workflow run
@@ -71,6 +77,8 @@ outputs:
     description: 'The ID of the attestation.'
   attestation-url:
     description: 'The URL for the attestation summary.'
+  storage-record-ids:
+    description: 'The IDs of the storage records created for the artifact.'
 
 runs:
   using: node24